NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

Remediation

Upgrade Ubuntu:20.04 sqlite3 to version 3.31.1-4ubuntu0.7+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6965
• https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
• http://seclists.org/fulldisclosure/2025/Sep/49
• http://seclists.org/fulldisclosure/2025/Sep/53
• http://seclists.org/fulldisclosure/2025/Sep/56
• http://seclists.org/fulldisclosure/2025/Sep/57
• http://seclists.org/fulldisclosure/2025/Sep/58
• http://www.openwall.com/lists/oss-security/2025/09/06/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

Remediation

There is no fixed version for Ubuntu:20.04 git.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
• https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
• https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32988
• https://access.redhat.com/security/cve/CVE-2025-32988
• https://bugzilla.redhat.com/show_bug.cgi?id=2359622
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32990
• https://access.redhat.com/security/cve/CVE-2025-32990
• https://bugzilla.redhat.com/show_bug.cgi?id=2359620
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-25646
• https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
• http://www.openwall.com/lists/oss-security/2026/02/09/7
• https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.5+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5318
• https://access.redhat.com/security/cve/CVE-2025-5318
• https://bugzilla.redhat.com/show_bug.cgi?id=2369131
• https://www.libssh.org/security/advisories/CVE-2025-5318.txt
• https://access.redhat.com/errata/RHSA-2025:18231
• https://access.redhat.com/errata/RHSA-2025:18275
• https://access.redhat.com/errata/RHSA-2025:18286
• https://access.redhat.com/errata/RHSA-2025:19012
• https://access.redhat.com/errata/RHSA-2025:19098
• https://access.redhat.com/errata/RHSA-2025:19101
• https://access.redhat.com/errata/RHSA-2025:19400
• https://access.redhat.com/errata/RHSA-2025:19401
• https://access.redhat.com/errata/RHSA-2025:19470
• https://access.redhat.com/errata/RHSA-2025:19472
• https://access.redhat.com/errata/RHSA-2025:19295
• https://access.redhat.com/errata/RHSA-2025:19313
• https://access.redhat.com/errata/RHSA-2025:19300
• https://access.redhat.com/errata/RHSA-2025:19807
• https://access.redhat.com/errata/RHSA-2025:20943
• https://access.redhat.com/errata/RHSA-2025:21013
• https://access.redhat.com/errata/RHSA-2025:19864
• https://access.redhat.com/errata/RHSA-2025:21329
• https://access.redhat.com/errata/RHSA-2025:21829
• https://access.redhat.com/errata/RHSA-2025:22275
• https://access.redhat.com/errata/RHSA-2025:23078
• https://access.redhat.com/errata/RHSA-2025:23079
• https://access.redhat.com/errata/RHSA-2025:23080
• https://access.redhat.com/errata/RHSA-2026:0326
• https://access.redhat.com/errata/RHSA-2026:1541
• https://access.redhat.com/errata/RHSA-2026:3461
• https://access.redhat.com/errata/RHSA-2026:3462

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-22801
• https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Remediation

There is no fixed version for Ubuntu:20.04 pam.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8941
• https://access.redhat.com/security/cve/CVE-2025-8941
• https://bugzilla.redhat.com/show_bug.cgi?id=2388220
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15100
• https://access.redhat.com/errata/RHSA-2025:15104
• https://access.redhat.com/errata/RHSA-2025:15107
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15101
• https://access.redhat.com/errata/RHSA-2025:15102
• https://access.redhat.com/errata/RHSA-2025:15103
• https://access.redhat.com/errata/RHSA-2025:15105
• https://access.redhat.com/errata/RHSA-2025:15106
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524
• https://access.redhat.com/errata/RHSA-2025:18219
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:21885

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

There is no fixed version for Ubuntu:20.04 expat.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-8176
• https://access.redhat.com/security/cve/CVE-2024-8176
• https://bugzilla.redhat.com/show_bug.cgi?id=2310137
• https://github.com/libexpat/libexpat/issues/893
• http://www.openwall.com/lists/oss-security/2025/03/15/1
• https://blog.hartwork.org/posts/expat-2-7-0-released/
• https://bugzilla.suse.com/show_bug.cgi?id=1239618
• https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
• https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
• https://security-tracker.debian.org/tracker/CVE-2024-8176
• https://ubuntu.com/security/CVE-2024-8176
• https://security.netapp.com/advisory/ntap-20250328-0009/
• https://access.redhat.com/errata/RHSA-2025:3531
• https://access.redhat.com/errata/RHSA-2025:3734
• https://access.redhat.com/errata/RHSA-2025:3913
• https://access.redhat.com/errata/RHSA-2025:4048
• https://access.redhat.com/errata/RHSA-2025:4447
• https://access.redhat.com/errata/RHSA-2025:4446
• https://access.redhat.com/errata/RHSA-2025:4448
• https://access.redhat.com/errata/RHSA-2025:4449
• https://www.kb.cert.org/vuls/id/760160
• https://access.redhat.com/errata/RHSA-2025:7444
• https://access.redhat.com/errata/RHSA-2025:7512
• https://access.redhat.com/errata/RHSA-2025:8385
• https://access.redhat.com/errata/RHSA-2025:13681
• http://seclists.org/fulldisclosure/2025/May/10
• http://seclists.org/fulldisclosure/2025/May/11
• http://seclists.org/fulldisclosure/2025/May/12
• http://seclists.org/fulldisclosure/2025/May/6
• http://seclists.org/fulldisclosure/2025/May/7
• http://seclists.org/fulldisclosure/2025/May/8
• http://www.openwall.com/lists/oss-security/2025/09/24/11
• https://access.redhat.com/errata/RHSA-2025:22033
• https://access.redhat.com/errata/RHSA-2025:22035
• https://access.redhat.com/errata/RHSA-2025:22034
• https://access.redhat.com/errata/RHSA-2025:22607
• https://access.redhat.com/errata/RHSA-2025:22785
• https://access.redhat.com/errata/RHSA-2025:22842
• https://access.redhat.com/errata/RHSA-2025:22871

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-22695
• https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
• https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
• https://github.com/pnggroup/libpng/issues/778
• https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6395
• https://access.redhat.com/security/cve/CVE-2025-6395
• https://bugzilla.redhat.com/show_bug.cgi?id=2376755
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:20.04 wget.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-31879
• https://security.netapp.com/advisory/ntap-20210618-0002/
• https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Remediation

Upgrade Ubuntu:20.04 krb5 to version 1.17-6ubuntu4.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-3576
• https://access.redhat.com/security/cve/CVE-2025-3576
• https://bugzilla.redhat.com/show_bug.cgi?id=2359465
• https://lists.debian.org/debian-lts-announce/2025/05/msg00047.html
• https://access.redhat.com/errata/RHSA-2025:8411
• https://access.redhat.com/errata/RHSA-2025:9418
• https://access.redhat.com/errata/RHSA-2025:9430
• https://access.redhat.com/errata/RHSA-2025:11487
• https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.html
• https://access.redhat.com/errata/RHSA-2025:13664
• https://access.redhat.com/errata/RHSA-2025:13777
• https://access.redhat.com/errata/RHSA-2025:15000
• https://access.redhat.com/errata/RHSA-2025:15002
• https://access.redhat.com/errata/RHSA-2025:15004
• https://access.redhat.com/errata/RHSA-2025:15001
• https://access.redhat.com/errata/RHSA-2025:15003

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Ubuntu:20.04 expat.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66382
• https://github.com/libexpat/libexpat/issues/1076
• http://www.openwall.com/lists/oss-security/2025/12/02/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.

Remediation

Upgrade Ubuntu:20.04 sqlite3 to version 3.31.1-4ubuntu0.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-29088
• https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248
• https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
• https://sqlite.org/forum/forumpost/48f365daec
• https://sqlite.org/releaselog/3_49_1.html
• https://www.sqlite.org/cves.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for Ubuntu:20.04 gnupg2.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-68972
• https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
• https://news.ycombinator.com/item?id=46404339
• https://gpg.fail/formfeed

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Remediation

Upgrade Ubuntu:20.04 systemd to version 245.4-4ubuntu3.24+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4598
• https://access.redhat.com/security/cve/CVE-2025-4598
• https://bugzilla.redhat.com/show_bug.cgi?id=2369242
• https://www.openwall.com/lists/oss-security/2025/05/29/3
• http://www.openwall.com/lists/oss-security/2025/06/05/1
• http://www.openwall.com/lists/oss-security/2025/06/05/3
• https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598
• https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598/
• https://www.openwall.com/lists/oss-security/2025/08/18/3
• http://seclists.org/fulldisclosure/2025/Jun/9
• https://lists.debian.org/debian-lts-announce/2025/07/msg00022.html
• http://www.openwall.com/lists/oss-security/2025/08/18/3
• https://access.redhat.com/errata/RHSA-2025:22660
• https://access.redhat.com/errata/RHSA-2025:22868
• https://access.redhat.com/errata/RHSA-2025:23234
• https://access.redhat.com/errata/RHSA-2025:23227
• https://access.redhat.com/errata/RHSA-2026:0414
• https://access.redhat.com/errata/RHSA-2026:1652

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.5+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4877
• https://access.redhat.com/security/cve/CVE-2025-4877
• https://bugzilla.redhat.com/show_bug.cgi?id=2376193
• https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d
• https://www.libssh.org/security/advisories/CVE-2025-4877.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.5+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4878
• https://access.redhat.com/security/cve/CVE-2025-4878
• https://bugzilla.redhat.com/show_bug.cgi?id=2376184
• https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1
• https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Remediation

Upgrade Ubuntu:20.04 expat to version 2.2.9-1ubuntu0.8+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-24515
• https://github.com/libexpat/libexpat/pull/1131

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.

Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Remediation

There is no fixed version for Ubuntu:20.04 curl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14017
• https://curl.se/docs/CVE-2025-14017.html
• https://curl.se/docs/CVE-2025-14017.json
• http://www.openwall.com/lists/oss-security/2026/01/07/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Remediation

Upgrade Ubuntu:20.04 expat to version 2.2.9-1ubuntu0.8+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-25210
• https://github.com/libexpat/libexpat/pull/1075
• https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.14+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-46835
• https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da
• https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg
• https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html
• http://www.openwall.com/lists/oss-security/2025/07/08/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.14+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-48386
• https://github.com/git/git/security/advisories/GHSA-4v56-3xvj-xvfr
• http://www.openwall.com/lists/oss-security/2025/07/08/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.14+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-27613
• https://github.com/j6t/gitk/compare/465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5
• https://github.com/j6t/gitk/compare/7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652
• https://github.com/j6t/gitk/security/advisories/GHSA-f3cw-xrj3-wr2v
• https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html
• http://www.openwall.com/lists/oss-security/2025/07/08/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-15281
• https://sourceware.org/bugzilla/show_bug.cgi?id=33814
• http://www.openwall.com/lists/oss-security/2026/01/20/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4802
• https://sourceware.org/bugzilla/show_bug.cgi?id=32976
• https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
• http://www.openwall.com/lists/oss-security/2025/05/16/7
• http://www.openwall.com/lists/oss-security/2025/05/17/2
• https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058
• https://sourceware.org/bugzilla/show_bug.cgi?id=33185
• https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f
• http://www.openwall.com/lists/oss-security/2025/07/23/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.

Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0861
• https://sourceware.org/bugzilla/show_bug.cgi?id=33796
• https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001
• http://www.openwall.com/lists/oss-security/2026/01/16/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0915
• http://www.openwall.com/lists/oss-security/2026/01/16/6
• https://sourceware.org/bugzilla/show_bug.cgi?id=33802

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66293
• https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1
• https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
• https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f
• http://www.openwall.com/lists/oss-security/2025/12/03/6
• http://www.openwall.com/lists/oss-security/2025/12/03/7
• http://www.openwall.com/lists/oss-security/2025/12/03/8
• https://github.com/pnggroup/libpng/issues/764

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-65018
• https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
• https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
• https://github.com/pnggroup/libpng/pull/757
• https://github.com/pnggroup/libpng/issues/755
• https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-64505
• https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37
• https://github.com/pnggroup/libpng/pull/748
• https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-64506
• https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821
• https://github.com/pnggroup/libpng/pull/749
• https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-64720
• https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
• https://github.com/pnggroup/libpng/issues/686
• https://github.com/pnggroup/libpng/pull/751
• https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.5+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0964

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.5+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0967

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.5+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0968

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Remediation

Upgrade Ubuntu:20.04 libtasn1-6 to version 4.16.0-2ubuntu0.1+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-13151
• https://gitlab.com/gnutls/libtasn1
• https://gitlab.com/gnutls/libtasn1/-/merge_requests/121
• http://www.openwall.com/lists/oss-security/2026/01/08/5
• https://www.kb.cert.org/vuls/id/271649

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:20.04 openssl to version 1.1.1f-1ubuntu2.24+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9230
• https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45
• https://github.com/openssl/openssl/commit/9e91358f365dee6c446dcdcdb01c04d2743fd280
• https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def
• https://github.com/openssl/openssl/commit/b5282d677551afda7d20e9c00e09561b547b2dfd
• https://github.com/openssl/openssl/commit/bae259a211ada6315dc50900686daaaaaa55f482
• https://github.openssl.org/openssl/extended-releases/commit/c2b96348bfa662f25f4fabf81958ae822063dae3
• https://github.openssl.org/openssl/extended-releases/commit/dfbaf161d8dafc1132dd88cd48ad990ed9b4c8ba
• https://openssl-library.org/news/secadv/20250930.txt
• https://lists.debian.org/debian-lts-announce/2025/10/msg00001.html
• http://www.openwall.com/lists/oss-security/2025/09/30/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-29088. Reason: This record is a duplicate of CVE-2025-29088. Notes: All CVE users should reference CVE-2025-29088 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

Remediation

Upgrade Ubuntu:20.04 sqlite3 to version 3.31.1-4ubuntu0.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-52099
• http://sqlite3.com
• https://github.com/SCREAMBBY/CVE-2025-52099

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:20.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
• https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
• https://www.gnu.org/software/tar/
• https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
• https://www.gnu.org/software/tar/manual/html_node/Integrity.html
• https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
• http://www.openwall.com/lists/oss-security/2025/11/01/6