Vulnerability report for Docker rocker/shiny-verse:latest

Vulnerabilities	134 via 340 paths
Dependencies	420
Source	Docker
Target OS	ubuntu:24.04

Test your Docker Hub image against our market leading vulnerability database Sign up for free

Severity

Critical
1
High
9
Medium
100
Low
24

Status

Open
134
Patched
0
Ignored
0

OS binaries

critical severity

Race Condition

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Race Condition in the vm module with the timeout option. An attacker can access secrets like tokens or passwords to leak or cause data corruption by exploiting a race condition in buffer allocation logic that allows zero-fill toggle to remain disabled when vm module timeouts interrupt execution.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Race Condition vulnerability report

high severity

Uncaught Exception

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the SignTraits::DeriveBits() function, which incorrectly invokes ThrowException() based on user inputs when executing in a background thread. This allows an attacker to trigger a runtime crash.

Note: The cryptographic operations involved are commonly applied to untrusted input.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 20.19.2, 22.15.1, 23.11.1, 24.0.2 or higher.

References

Uncaught Exception vulnerability report

high severity

Uncaught Exception

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception due to the unhandled TLSSocket error ECONNRESET. An attacker can cause application crash by passing malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data.

Note:

This issue primary affects applications without explicit error handlers to secure sockets.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Uncaught Exception vulnerability report

high severity

Uncaught Exception

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in Node.js HTTP request handling. The flaw triggers when an incoming request includes a header named __proto__ and the server application accesses req.headersDistinct. This causes dest["__proto__"] to incorrectly resolve to Object.prototype, resulting in an uncaught TypeError when .push() is called on a non-array. Because this exception is thrown synchronously inside a property getter, standard error listeners cannot intercept it. This causes the Node.js process to crash unless every access is explicitly wrapped in a try/catch block.

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

References

Uncaught Exception vulnerability report

high severity

Directory Traversal

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Directory Traversal in the path.join function. An attacker can bypass the path traversal protection and access restricted files by crafting specific path inputs that leverage Windows reserved driver names such as CON, PRN, and AUX.

Note: This issue only affects Windows systems and is a result of an incomplete fix for CVE-2025-23084

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade node to version 20.19.4, 22.17.1, 24.4.1 or higher.

References

Directory Traversal vulnerability report

high severity

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Vulnerable module: node
Introduced through: node@20.17.0
Fixed in: 20.20.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Reliance on Undefined, Unspecified, or Implementation-Defined Behavior due to a flaw in error handling when async_hooks (or AsyncLocalStorage) is enabled. Normally, a "Maximum call stack size exceeded" error (stack overflow) is catchable by try-catch blocks or uncaughtException handlers. However, if this error occurs while an async_hooks callback is on the stack (which happens frequently in frameworks like Next.js or when using APM tools), Node.js treats it as a fatal error. Remote attackers can trigger this crash by sending payloads that cause deep recursion (e.g., deeply nested JSON objects), leading to a Denial of Service.

Notes:

Node.js 24.x and 25.x are less affected if using only AsyncLocalStorage, as they use a newer V8 feature that avoids this hook mechanism;
The patch improves recoverability in one edge case, but it does not remove the broader risk. Recovery from space exhaustion is unspecified, best‑effort behavior and is not a reliable basis for availability or security.

PoC

import { createHook } from 'node:async_hooks';

// This simulates what APM tools do
createHook({ init() {} }).enable();

function recursive() {
  new Promise(() => {}); // Creates async context
  return recursive();
}

try {
  recursive();
} catch (err) {
  console.log('This never runs', err);
}

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior vulnerability report

high severity

Uncaught Exception

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the TLS module when a TLS server is configured with pskCallback or ALPNCallback. A remote attacker can crash or exhaust resources of a TLS server by sending input that causes the callback to throw an error.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Uncaught Exception vulnerability report

high severity

Uncaught Exception

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the TLS module when a SNICallback throws synchronously on unexpected input the exception bypasses TLS error handlers and propagates as an uncaught exception. A remote attacker can crash or exhaust resources of a TLS server by sending input that causes the callback to throw an error.

Note:

This is caused by an incomplete fix for CVE-2026-21637.

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

References

Uncaught Exception vulnerability report

high severity

UNIX Symbolic Link (Symlink) Following

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following in the fs.symlink() function. An attacker can escape the allowed path and read/write sensitive files by chaining directories and symlinks, bypassing --allow-fs-read and --allow-fs-write restrictions.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

UNIX Symbolic Link (Symlink) Following vulnerability report

high severity

new

CVE-2026-45447

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.

Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution.

When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition.

In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution.

Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-45447 vulnerability report

medium severity

new

Improper Null Termination

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Improper Null Termination vulnerability report

medium severity

new

Out-of-bounds Write

Vulnerable module: mesa/libgbm1
Introduced through: mesa/libgbm1@25.2.8-0ubuntu0.24.04.1, mesa/libgl1-mesa-dri@25.2.8-0ubuntu0.24.04.1 and others
Fixed in: 25.2.8-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mesa/libgbm1@25.2.8-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mesa/libgl1-mesa-dri@25.2.8-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mesa/libglx-mesa0@25.2.8-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mesa/mesa-libgallium@25.2.8-0ubuntu0.24.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mesa package and not the mesa package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

Remediation

Upgrade Ubuntu:24.04 mesa to version 25.2.8-0ubuntu0.24.04.2 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

new

Integer Underflow

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Integer Underflow vulnerability report

medium severity

new

CVE-2026-6638

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-16 package and not the postgresql-16 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6638 vulnerability report

medium severity

new

Improper Validation of Specified Quantity in Input

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Improper Validation of Specified Quantity in Input vulnerability report

medium severity

new

Improper Validation of Specified Quantity in Input

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Improper Validation of Specified Quantity in Input vulnerability report

medium severity

Directory Traversal

Vulnerable module: pam/libpam-modules
Introduced through: pam/libpam-modules@1.5.3-5ubuntu5.5, pam/libpam-modules-bin@1.5.3-5ubuntu5.5 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › pam/libpam-modules@1.5.3-5ubuntu5.5
Introduced through: rocker/shiny-verse@latest › pam/libpam-modules-bin@1.5.3-5ubuntu5.5
Introduced through: rocker/shiny-verse@latest › pam/libpam-runtime@1.5.3-5ubuntu5.5
Introduced through: rocker/shiny-verse@latest › pam/libpam0g@1.5.3-5ubuntu5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Remediation

There is no fixed version for Ubuntu:24.04 pam.

References

Directory Traversal vulnerability report

medium severity

Memory Leak

Vulnerable module: freeglut/libglut3.12
Introduced through: freeglut/libglut3.12@3.4.0-1build1
Fixed in: 3.4.0-1ubuntu0.1~esm1

Detailed paths

Introduced through: rocker/shiny-verse@latest › freeglut/libglut3.12@3.4.0-1build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream freeglut package and not the freeglut package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function.

Remediation

Upgrade Ubuntu:24.04 freeglut to version 3.4.0-1ubuntu0.1~esm1 or higher.

References

Memory Leak vulnerability report

medium severity

Memory Leak

Vulnerable module: freeglut/libglut3.12
Introduced through: freeglut/libglut3.12@3.4.0-1build1
Fixed in: 3.4.0-1ubuntu0.1~esm1

Detailed paths

Introduced through: rocker/shiny-verse@latest › freeglut/libglut3.12@3.4.0-1build1

NVD Description

freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function.

Remediation

Upgrade Ubuntu:24.04 freeglut to version 3.4.0-1ubuntu0.1~esm1 or higher.

References

Memory Leak vulnerability report

medium severity

new

Improper Handling of Length Parameter Inconsistency

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

new

Undefined Behavior for Input to API

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Undefined Behavior for Input to API vulnerability report

medium severity

new

CVE-2026-22016

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04
Fixed in: 21.0.11+10-1~24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk-21 package and not the openjdk-21 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.11+10-1~24.04.2 or higher.

References

CVE-2026-22016 vulnerability report

medium severity

new

CVE-2026-34282

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04
Fixed in: 21.0.11+10-1~24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.11+10-1~24.04.2 or higher.

References

CVE-2026-34282 vulnerability report

medium severity

new

Improper Certificate Validation

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Improper Certificate Validation vulnerability report

medium severity

new

Improper Handling of Case Sensitivity

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName (DNS) or rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

medium severity

new

Numeric Errors

Vulnerable module: libssh2/libssh2-1-dev
Introduced through: libssh2/libssh2-1-dev@1.11.0-4.1build2 and libssh2/libssh2-1t64@1.11.0-4.1build2
Fixed in: 1.11.0-4.1ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › libssh2/libssh2-1-dev@1.11.0-4.1build2
Introduced through: rocker/shiny-verse@latest › libssh2/libssh2-1t64@1.11.0-4.1build2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Remediation

Upgrade Ubuntu:24.04 libssh2 to version 1.11.0-4.1ubuntu0.24.04.1 or higher.

References

Numeric Errors vulnerability report

medium severity

new

Improper Certificate Validation

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Improper Certificate Validation vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: libcap2
Introduced through: libcap2@1:2.66-5ubuntu2.2
Fixed in: 1:2.66-5ubuntu2.4

Detailed paths

Introduced through: rocker/shiny-verse@latest › libcap2@1:2.66-5ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

Remediation

Upgrade Ubuntu:24.04 libcap2 to version 1:2.66-5ubuntu2.4 or higher.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ReadFileUtf8 internal binding, which fails to clean up pointers in uv_fs_s.file. UTF-16 path buffers leak memory, which can lead to denial of service.

Note:

CVE-2025-23122 is a duplicate of this vulnerability.

Remediation

Upgrade node to version 20.19.2, 22.15.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

HTTP Request Smuggling

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the llhttp implementation, when handing HTTP/1 headers terminated with \r\n\rX instead of the required \r\n\r\n. This allows attackers to bypass proxy-based access controls and submit unauthorized requests.

Remediation

Upgrade node to version 20.19.2 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

Inefficient Algorithmic Complexity

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the V8 JavaScript engine due to the string hashing mechanism predictably hashing integer-like strings directly to their numeric values. An attacker can exploit this by sending maliciously crafted payloads containing many colliding strings to endpoints that process user input (most commonly via JSON.parse()). This causes massive hash collisions within V8's internal string table, drastically degrading the performance of the Node.js process and resulting in a Denial of Service (DoS).

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

Inefficient Algorithmic Complexity vulnerability report

medium severity

Missing Release of Memory after Effective Lifetime

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in HTTP/2 servers that triggers when a client sends WINDOW_UPDATE frames on stream 0 that cause the flow control window to exceed $2^{31}-1$ . Although the server responds with a GOAWAY frame, it fails to properly clean up the Http2Session object. An unauthenticated remote attacker can exploit this by continuously opening connections and sending these crafted frames. This forces the server to leak memory indefinitely, eventually causing resource exhaustion and a Denial of Service (DoS).

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

References

Missing Release of Memory after Effective Lifetime vulnerability report

medium severity

new

Expired Pointer Dereference

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in GnuTLS. The gnutls_pkcs11_token_set_pin function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Expired Pointer Dereference vulnerability report

medium severity

new

CVE-2026-22009

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-22009 vulnerability report

medium severity

new

CVE-2026-22017

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-22017 vulnerability report

medium severity

new

CVE-2026-34270

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34270 vulnerability report

medium severity

new

CVE-2026-34271

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34271 vulnerability report

medium severity

new

CVE-2026-34276

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34276 vulnerability report

medium severity

new

CVE-2026-34303

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34303 vulnerability report

medium severity

new

CVE-2026-34308

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34308 vulnerability report

medium severity

Divide By Zero

Vulnerable module: pixman/libpixman-1-0
Introduced through: pixman/libpixman-1-0@0.42.2-1build1 and pixman/libpixman-1-dev@0.42.2-1build1

Detailed paths

Introduced through: rocker/shiny-verse@latest › pixman/libpixman-1-0@0.42.2-1build1
Introduced through: rocker/shiny-verse@latest › pixman/libpixman-1-dev@0.42.2-1build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream pixman package and not the pixman package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.

Remediation

There is no fixed version for Ubuntu:24.04 pixman.

References

Divide By Zero vulnerability report

medium severity

Observable Timing Discrepancy

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Observable Timing Discrepancy due to the crypto_hmac.cc module using memcmp(), a non-constant-time comparison function to validate user-provided HMAC signatures, rather than the timing-safe equivalents used elsewhere in the codebase. An attacker capable of taking high-resolution timing measurements can use the application as a timing oracle. Because the comparison leaks timing information proportional to the number of matching bytes, the attacker can iteratively infer the expected HMAC values, ultimately enabling them to forge valid Message Authentication Codes (MACs).

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

Observable Timing Discrepancy vulnerability report

medium severity

Open Redirect

Vulnerable module: wget
Introduced through: wget@1.21.4-1ubuntu4.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › wget@1.21.4-1ubuntu4.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:24.04 wget.

References

Open Redirect vulnerability report

medium severity

new

CVE-2026-34318

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34318 vulnerability report

medium severity

CVE-2025-69651

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

CVE-2025-69651 vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

Out-of-Bounds vulnerability report

medium severity

Algorithmic Complexity

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.6.1-2ubuntu0.4 and expat/libexpat1-dev@2.6.1-2ubuntu0.4

Detailed paths

Introduced through: rocker/shiny-verse@latest › expat/libexpat1@2.6.1-2ubuntu0.4
Introduced through: rocker/shiny-verse@latest › expat/libexpat1-dev@2.6.1-2ubuntu0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Ubuntu:24.04 expat.

References

Algorithmic Complexity vulnerability report

medium severity

Unrestricted Upload of File with Dangerous Type

Vulnerable module: tar
Introduced through: tar@1.35+dfsg-3build1

Detailed paths

Introduced through: rocker/shiny-verse@latest › tar@1.35+dfsg-3build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Ubuntu:24.04 tar.

References

Unrestricted Upload of File with Dangerous Type vulnerability report

medium severity

new

Off-by-one Error

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Off-by-one Error vulnerability report

medium severity

new

CVE-2026-22013

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04
Fixed in: 21.0.11+10-1~24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.11+10-1~24.04.2 or higher.

References

CVE-2026-22013 vulnerability report

medium severity

new

CVE-2026-22021

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04
Fixed in: 21.0.11+10-1~24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.11+10-1~24.04.2 or higher.

References

CVE-2026-22021 vulnerability report

medium severity

new

CVE-2026-34317

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34317 vulnerability report

medium severity

new

CVE-2026-34319

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34319 vulnerability report

medium severity

new

CVE-2026-21998

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-21998 vulnerability report

medium severity

new

CVE-2026-22002

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-22002 vulnerability report

medium severity

new

CVE-2026-22004

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-22004 vulnerability report

medium severity

new

CVE-2026-22005

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-22005 vulnerability report

medium severity

new

CVE-2026-34267

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34267 vulnerability report

medium severity

new

CVE-2026-34278

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34278 vulnerability report

medium severity

new

CVE-2026-34293

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34293 vulnerability report

medium severity

new

CVE-2026-34304

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-34304 vulnerability report

medium severity

new

CVE-2026-35236

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-35236 vulnerability report

medium severity

new

CVE-2026-35237

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-35237 vulnerability report

medium severity

new

CVE-2026-35238

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-35238 vulnerability report

medium severity

new

CVE-2026-35239

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-35239 vulnerability report

medium severity

new

CVE-2026-35240

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-35240 vulnerability report

medium severity

Incorrect Authorization

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Incorrect Authorization in the permission model via the fs.futimes() function due to failing to check for write permissions. A process restricted to "read-only" access can still modify a file's access and modification timestamps. While it doesn't allow changing the file's content, it can be used to obscure malicious activity by tampering with audit logs or metadata.

Note:

This is only exploitable if the attacker already has the ability to execute code on the system (within the restricted Node.js environment).

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Incorrect Authorization vulnerability report

medium severity

Missing Authorization

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Missing Authorization via the fs.realpathSync.native() function. An attacker running malicious code within a restricted Node.js environment (where --allow-fs-read is intentionally limited) can exploit this missing check to verify file existence, resolve symlink targets, and enumerate paths outside of the permitted directories, leading to unauthorized information disclosure.

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

References

Missing Authorization vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: gnupg2/dirmngr
Introduced through: gnupg2/dirmngr@2.4.4-2ubuntu17.4, gnupg2/gpg-agent@2.4.4-2ubuntu17.4 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnupg2/dirmngr@2.4.4-2ubuntu17.4
Introduced through: rocker/shiny-verse@latest › gnupg2/gpg-agent@2.4.4-2ubuntu17.4
Introduced through: rocker/shiny-verse@latest › gnupg2/gpgv@2.4.4-2ubuntu17.4
Introduced through: rocker/shiny-verse@latest › gnupg2/keyboxd@2.4.4-2ubuntu17.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for Ubuntu:24.04 gnupg2.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

new

CVE-2026-22015

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-22015 vulnerability report

medium severity

new

Incorrect Behavior Order: Early Validation

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Incorrect Behavior Order: Early Validation vulnerability report

medium severity

new

Information Exposure

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5
Fixed in: 3.8.3-1.1ubuntu3.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.5

NVD Description

A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.6 or higher.

References

Information Exposure vulnerability report

medium severity

new

CVE-2026-22018

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04
Fixed in: 21.0.11+10-1~24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.11+10-1~24.04.2 or higher.

References

CVE-2026-22018 vulnerability report

medium severity

CVE-2025-13462

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.13, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.13 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.13
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.13
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.13
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.13

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.12 package and not the python3.12 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Remediation

There is no fixed version for Ubuntu:24.04 python3.12.

References

CVE-2025-13462 vulnerability report

medium severity

new

CVE-2026-22007

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04
Fixed in: 21.0.11+10-1~24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.11+10-1~24.04.2 or higher.

References

CVE-2026-22007 vulnerability report

medium severity

new

CVE-2026-34268

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04
Fixed in: 21.0.11+10-1~24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04

NVD Description

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.11+10-1~24.04.2 or higher.

References

CVE-2026-34268 vulnerability report

medium severity

new

CVE-2026-22001

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1 and mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1
Fixed in: 8.0.46-0ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.45-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.45-0ubuntu0.24.04.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.46-0ubuntu0.24.04.2 or higher.

References

CVE-2026-22001 vulnerability report

medium severity

CVE-2025-69644

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

CVE-2025-69644 vulnerability report

medium severity

CVE-2025-69645

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

CVE-2025-69645 vulnerability report

medium severity

CVE-2025-69646

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

CVE-2025-69646 vulnerability report

medium severity

CVE-2025-69647

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

CVE-2025-69647 vulnerability report

medium severity

CVE-2025-69648

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

CVE-2025-69648 vulnerability report

medium severity

CVE-2025-69652

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

CVE-2025-69652 vulnerability report

medium severity

CVE-2026-2219

Vulnerable module: dpkg
Introduced through: dpkg@1.22.6ubuntu6.5
Fixed in: 1.22.6ubuntu6.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › dpkg@1.22.6ubuntu6.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream dpkg package and not the dpkg package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

Remediation

Upgrade Ubuntu:24.04 dpkg to version 1.22.6ubuntu6.6 or higher.

References

CVE-2026-2219 vulnerability report

medium severity

CVE-2026-4046

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.7, glibc/libc-dev-bin@2.39-0ubuntu8.7 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

CVE-2026-4046 vulnerability report

medium severity

CVE-2026-4437

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.7, glibc/libc-dev-bin@2.39-0ubuntu8.7 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.7

NVD Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

CVE-2026-4437 vulnerability report

medium severity

CVE-2026-4438

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.7, glibc/libc-dev-bin@2.39-0ubuntu8.7 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.7

NVD Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

CVE-2026-4438 vulnerability report

medium severity

new

CVE-2026-5435

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.7, glibc/libc-dev-bin@2.39-0ubuntu8.7 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.7

NVD Description

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

CVE-2026-5435 vulnerability report

medium severity

new

CVE-2026-6238

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.7, glibc/libc-dev-bin@2.39-0ubuntu8.7 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.7

NVD Description

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.

These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

CVE-2026-6238 vulnerability report

medium severity

new

Integer Underflow

Vulnerable module: graphite2/libgraphite2-3
Introduced through: graphite2/libgraphite2-3@1.3.14-2build1 and graphite2/libgraphite2-dev@1.3.14-2build1
Fixed in: 1.3.14-2ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › graphite2/libgraphite2-3@1.3.14-2build1
Introduced through: rocker/shiny-verse@latest › graphite2/libgraphite2-dev@1.3.14-2build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream graphite2 package and not the graphite2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Graphite before 1.3.15 has an integer underflow and resultant out-of-bounds write via Graphite actions, because slotat does not ensure that an offset is within the allowed slot-map range.

Remediation

Upgrade Ubuntu:24.04 graphite2 to version 1.3.14-2ubuntu0.24.04.1 or higher.

References

Integer Underflow vulnerability report

medium severity

new

Out-of-bounds Write

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.10.3-2build1
Fixed in: 1.10.3-2ubuntu0.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › libgcrypt20@1.10.3-2build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Remediation

Upgrade Ubuntu:24.04 libgcrypt20 to version 1.10.3-2ubuntu0.1 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Reachable Assertion

Vulnerable module: nghttp2/libnghttp2-14
Introduced through: nghttp2/libnghttp2-14@1.59.0-1ubuntu0.2
Fixed in: 1.59.0-1ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › nghttp2/libnghttp2-14@1.59.0-1ubuntu0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2_session_terminate_session or nghttp2_session_terminate_session2 is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Remediation

Upgrade Ubuntu:24.04 nghttp2 to version 1.59.0-1ubuntu0.3 or higher.

References

Reachable Assertion vulnerability report

medium severity

new

CVE-2026-23865

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04
Fixed in: 21.0.11+10-1~24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.10+7-1~24.04

NVD Description

An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.11+10-1~24.04.2 or higher.

References

CVE-2026-23865 vulnerability report

medium severity

new

CVE-2026-34182

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises.

Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message.

In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message.

An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success.

If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message.

In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content.

The FIPS modules are not affected by this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-34182 vulnerability report

medium severity

new

CVE-2026-45445

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded.

Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message.

OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV.

If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair.

The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-45445 vulnerability report

medium severity

new

CVE-2026-6472

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6472 vulnerability report

medium severity

new

CVE-2026-6473

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6473 vulnerability report

medium severity

new

CVE-2026-6474

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6474 vulnerability report

medium severity

new

CVE-2026-6475

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6475 vulnerability report

medium severity

new

CVE-2026-6476

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6476 vulnerability report

medium severity

new

CVE-2026-6477

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6477 vulnerability report

medium severity

new

CVE-2026-6478

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6478 vulnerability report

medium severity

new

CVE-2026-6479

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6479 vulnerability report

medium severity

new

CVE-2026-6575

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6575 vulnerability report

medium severity

new

CVE-2026-6637

Vulnerable module: postgresql-16/libpq-dev
Introduced through: postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1 and postgresql-16/libpq5@16.13-0ubuntu0.24.04.1
Fixed in: 16.14-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq-dev@16.13-0ubuntu0.24.04.1
Introduced through: rocker/shiny-verse@latest › postgresql-16/libpq5@16.13-0ubuntu0.24.04.1

NVD Description

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Remediation

Upgrade Ubuntu:24.04 postgresql-16 to version 16.14-0ubuntu0.24.04.1 or higher.

References

CVE-2026-6637 vulnerability report

medium severity

CVE-2026-2297

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.13, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.13 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.13
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.13
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.13
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.13

NVD Description

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Remediation

There is no fixed version for Ubuntu:24.04 python3.12.

References

CVE-2026-2297 vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: sed
Introduced through: sed@4.9-2build1
Fixed in: 4.9-2ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › sed@4.9-2build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream sed package and not the sed package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:

resolves symlink to its target and stores the resolved path for determining when output is written,
opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.

This issue was fixed in version 4.10.

Remediation

Upgrade Ubuntu:24.04 sed to version 4.9-2ubuntu0.24.04.1 or higher.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

new

Use of Less Trusted Source

Vulnerable module: systemd
Introduced through: systemd@255.4-1ubuntu8.15, systemd/libsystemd0@255.4-1ubuntu8.15 and others
Fixed in: 255.4-1ubuntu8.16

Detailed paths

Introduced through: rocker/shiny-verse@latest › systemd@255.4-1ubuntu8.15
Introduced through: rocker/shiny-verse@latest › systemd/libsystemd0@255.4-1ubuntu8.15
Introduced through: rocker/shiny-verse@latest › systemd/libudev1@255.4-1ubuntu8.15

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

Remediation

Upgrade Ubuntu:24.04 systemd to version 255.4-1ubuntu8.16 or higher.

References

Use of Less Trusted Source vulnerability report

medium severity

Directory Traversal

Vulnerable module: tar
Introduced through: tar@1.35+dfsg-3build1

Detailed paths

Introduced through: rocker/shiny-verse@latest › tar@1.35+dfsg-3build1

NVD Description

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:24.04 tar.

References

Directory Traversal vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: util-linux
Introduced through: util-linux@2.39.3-9ubuntu6.5, util-linux/bsdutils@1:2.39.3-9ubuntu6.5 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › util-linux@2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/bsdutils@1:2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/libblkid-dev@2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/libblkid1@2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/libmount-dev@2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/libmount1@2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/libsmartcols1@2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/libuuid1@2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/mount@2.39.3-9ubuntu6.5
Introduced through: rocker/shiny-verse@latest › util-linux/uuid-dev@2.39.3-9ubuntu6.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for Ubuntu:24.04 util-linux.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

low severity

Out-of-Bounds

Vulnerable module: elfutils/libelf1t64
Introduced through: elfutils/libelf1t64@0.190-1.1ubuntu0.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › elfutils/libelf1t64@0.190-1.1ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream elfutils package and not the elfutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Ubuntu:24.04 elfutils.

References

Out-of-Bounds vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.7, glibc/libc-dev-bin@2.39-0ubuntu8.7 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.7
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.7

NVD Description

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Buffer Overflow

Vulnerable module: icu/icu-devtools
Introduced through: icu/icu-devtools@74.2-1ubuntu3.1, icu/libicu-dev@74.2-1ubuntu3.1 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › icu/icu-devtools@74.2-1ubuntu3.1
Introduced through: rocker/shiny-verse@latest › icu/libicu-dev@74.2-1ubuntu3.1
Introduced through: rocker/shiny-verse@latest › icu/libicu74@74.2-1ubuntu3.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream icu package and not the icu package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.

Remediation

There is no fixed version for Ubuntu:24.04 icu.

References

Buffer Overflow vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.18.0-3build1, cairo/libcairo-script-interpreter2@1.18.0-3build1 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › cairo/libcairo-gobject2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo-script-interpreter2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2-dev@1.18.0-3build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream cairo package and not the cairo package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).

Remediation

There is no fixed version for Ubuntu:24.04 cairo.

References

Out-of-bounds Write vulnerability report

low severity

Reachable Assertion

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.18.0-3build1, cairo/libcairo-script-interpreter2@1.18.0-3build1 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › cairo/libcairo-gobject2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo-script-interpreter2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2-dev@1.18.0-3build1

NVD Description

An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.

Remediation

There is no fixed version for Ubuntu:24.04 cairo.

References

Reachable Assertion vulnerability report

low severity

Improper Input Validation

Vulnerable module: coreutils
Introduced through: coreutils@9.4-3ubuntu6.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › coreutils@9.4-3ubuntu6.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Ubuntu:24.04 coreutils.

References

Improper Input Validation vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.18.0-3build1, cairo/libcairo-script-interpreter2@1.18.0-3build1 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › cairo/libcairo-gobject2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo-script-interpreter2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2-dev@1.18.0-3build1

NVD Description

Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.

Remediation

There is no fixed version for Ubuntu:24.04 cairo.

References

NULL Pointer Dereference vulnerability report

low severity

new

Heap-based Buffer Overflow

Vulnerable module: xz-utils
Introduced through: xz-utils@5.6.1+really5.4.5-1ubuntu0.2, xz-utils/liblzma-dev@5.6.1+really5.4.5-1ubuntu0.2 and others
Fixed in: 5.6.1+really5.4.5-1ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › xz-utils@5.6.1+really5.4.5-1ubuntu0.2
Introduced through: rocker/shiny-verse@latest › xz-utils/liblzma-dev@5.6.1+really5.4.5-1ubuntu0.2
Introduced through: rocker/shiny-verse@latest › xz-utils/liblzma-doc@5.6.1+really5.4.5-1ubuntu0.2
Introduced through: rocker/shiny-verse@latest › xz-utils/liblzma5@5.6.1+really5.4.5-1ubuntu0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Remediation

Upgrade Ubuntu:24.04 xz-utils to version 5.6.1+really5.4.5-1ubuntu0.3 or higher.

References

Heap-based Buffer Overflow vulnerability report

low severity

Improper Resource Shutdown or Release

Vulnerable module: elfutils/libelf1t64
Introduced through: elfutils/libelf1t64@0.190-1.1ubuntu0.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › elfutils/libelf1t64@0.190-1.1ubuntu0.1

NVD Description

A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Ubuntu:24.04 elfutils.

References

Improper Resource Shutdown or Release vulnerability report

low severity

Memory Leak

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.10, binutils/binutils-common@2.42-4ubuntu2.10 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.10
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.10

NVD Description

A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

Memory Leak vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: gnupg2/dirmngr
Introduced through: gnupg2/dirmngr@2.4.4-2ubuntu17.4, gnupg2/gpg-agent@2.4.4-2ubuntu17.4 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnupg2/dirmngr@2.4.4-2ubuntu17.4
Introduced through: rocker/shiny-verse@latest › gnupg2/gpg-agent@2.4.4-2ubuntu17.4
Introduced through: rocker/shiny-verse@latest › gnupg2/gpgv@2.4.4-2ubuntu17.4
Introduced through: rocker/shiny-verse@latest › gnupg2/keyboxd@2.4.4-2ubuntu17.4

NVD Description

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for Ubuntu:24.04 gnupg2.

References

Out-of-bounds Write vulnerability report

low severity

new

Incorrect Resource Transfer Between Spheres

Vulnerable module: systemd
Introduced through: systemd@255.4-1ubuntu8.15, systemd/libsystemd0@255.4-1ubuntu8.15 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › systemd@255.4-1ubuntu8.15
Introduced through: rocker/shiny-verse@latest › systemd/libsystemd0@255.4-1ubuntu8.15
Introduced through: rocker/shiny-verse@latest › systemd/libudev1@255.4-1ubuntu8.15

NVD Description

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

Remediation

There is no fixed version for Ubuntu:24.04 systemd.

References

Incorrect Resource Transfer Between Spheres vulnerability report

low severity

Missing Authorization

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Missing Authorization via FileHandle.chmod or FileHandle.chown functions which can use a "read-only" file descriptor to change the owner and permissions of a file.

Notes:

This is only exploitable for users using the experimental permission when the --allow-fs-write flag is used;
This is caused by an incomplete fix for CVE-2024-36137.

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

References

Missing Authorization vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: harfbuzz/gir1.2-harfbuzz-0.0
Introduced through: harfbuzz/gir1.2-harfbuzz-0.0@8.3.0-2build2, harfbuzz/libharfbuzz-cairo0@8.3.0-2build2 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › harfbuzz/gir1.2-harfbuzz-0.0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-cairo0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-dev@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-gobject0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-icu0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-subset0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz0b@8.3.0-2build2

NVD Description

Note: Versions mentioned in the description apply only to the upstream harfbuzz package and not the harfbuzz package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.

Remediation

There is no fixed version for Ubuntu:24.04 harfbuzz.

References

NULL Pointer Dereference vulnerability report

low severity

Covert Timing Channel

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.10.3-2build1

Detailed paths

Introduced through: rocker/shiny-verse@latest › libgcrypt20@1.10.3-2build1

NVD Description

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Ubuntu:24.04 libgcrypt20.

References

Covert Timing Channel vulnerability report

low severity

new

CVE-2026-34180

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms.

Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated.

An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer.

Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-34180 vulnerability report

low severity

new

CVE-2026-42766

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service.

The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present.

An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service.

Applications that process password-encrypted CMS messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-42766 vulnerability report

low severity

new

CVE-2026-42767

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application.

Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service.

An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client.

Applications that process untrusted CMP/CRMF messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-42767 vulnerability report

low severity

new

CVE-2026-42770

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership.

Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts.

When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared.

A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack).

The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-42770 vulnerability report

low severity

new

CVE-2026-45446

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages.

Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers.

AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, EVP_DecryptFinal_ex() is documented to return success only if the tag is verified succesfully.

In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls EVP_DecryptFinal_ex() without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value.

When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key.

AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2.

No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-45446 vulnerability report

low severity

new

CVE-2026-7383

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow.

Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour.

In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation.

X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-7383 vulnerability report

low severity

new

CVE-2026-9076

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.9, openssl/libssl-dev@3.0.13-0ubuntu3.9 and others
Fixed in: 3.0.13-0ubuntu3.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.9
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.9

NVD Description

Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key().

Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker.

The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen.

Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds.

The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator.

The FIPS modules are not affected by this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.11 or higher.

References

CVE-2026-9076 vulnerability report

low severity

CVE-2024-56433

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.13+dfsg1-4ubuntu3.2 and shadow/passwd@1:4.13+dfsg1-4ubuntu3.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › shadow/login@1:4.13+dfsg1-4ubuntu3.2
Introduced through: rocker/shiny-verse@latest › shadow/passwd@1:4.13+dfsg1-4ubuntu3.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Ubuntu:24.04 shadow.

References

CVE-2024-56433 vulnerability report

Vulnerabilities

Dependencies

Source

Target OS

critical severity

Race Condition

Detailed paths

Overview

Remediation

References

high severity

Uncaught Exception

Detailed paths

Overview

Details

Remediation

References

high severity

Uncaught Exception

Detailed paths

Overview

Remediation

References

high severity

Uncaught Exception

Detailed paths

Overview

Remediation

References

high severity

Directory Traversal

Detailed paths

Overview

Details

Remediation

References

high severity

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Detailed paths

Overview

PoC

Remediation

References

high severity

Uncaught Exception

Detailed paths

Overview

Remediation

References

high severity

Uncaught Exception

Detailed paths

Overview

Remediation

References

high severity

UNIX Symbolic Link (Symlink) Following

Detailed paths

Overview

Remediation

References

high severity new

CVE-2026-45447

Detailed paths

NVD Description

Remediation

References

medium severity new

Improper Null Termination

Detailed paths

NVD Description

Remediation

References

medium severity new

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

medium severity new

high severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new