NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Remediation

There is no fixed version for Ubuntu:24.04 pam.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8941
• https://access.redhat.com/security/cve/CVE-2025-8941
• https://bugzilla.redhat.com/show_bug.cgi?id=2388220
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15100
• https://access.redhat.com/errata/RHSA-2025:15104
• https://access.redhat.com/errata/RHSA-2025:15107
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15101
• https://access.redhat.com/errata/RHSA-2025:15102
• https://access.redhat.com/errata/RHSA-2025:15103
• https://access.redhat.com/errata/RHSA-2025:15105
• https://access.redhat.com/errata/RHSA-2025:15106
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524
• https://access.redhat.com/errata/RHSA-2025:18219
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:21885

NVD Description

Note: Versions mentioned in the description apply only to the upstream freeglut package and not the freeglut package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function.

Remediation

Upgrade Ubuntu:24.04 freeglut to version 3.4.0-1ubuntu0.1~esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-24259
• https://github.com/freeglut/freeglut/pull/155
• https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IBAWX3HMMZVAWJZ3U6VOAYYOYJCN3IS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T43DAHPIWMGN54E4I6ABLHNYHZSTX7H5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IBAWX3HMMZVAWJZ3U6VOAYYOYJCN3IS/

NVD Description

Note: Versions mentioned in the description apply only to the upstream freeglut package and not the freeglut package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function.

Remediation

Upgrade Ubuntu:24.04 freeglut to version 3.4.0-1ubuntu0.1~esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-24258
• https://github.com/freeglut/freeglut/pull/155
• https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IBAWX3HMMZVAWJZ3U6VOAYYOYJCN3IS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T43DAHPIWMGN54E4I6ABLHNYHZSTX7H5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IBAWX3HMMZVAWJZ3U6VOAYYOYJCN3IS/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

Remediation

Upgrade Ubuntu:24.04 libcap2 to version 1:2.66-5ubuntu2.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4878
• https://access.redhat.com/errata/RHSA-2026:7473
• https://access.redhat.com/security/cve/CVE-2026-4878
• https://bugzilla.redhat.com/show_bug.cgi?id=2447554
• https://bugzilla.redhat.com/show_bug.cgi?id=2451615
• http://www.openwall.com/lists/oss-security/2026/04/07/14
• http://www.openwall.com/lists/oss-security/2026/04/07/4
• http://www.openwall.com/lists/oss-security/2026/04/08/9
• http://www.openwall.com/lists/oss-security/2026/04/09/5
• http://www.openwall.com/lists/oss-security/2026/04/09/6
• https://access.redhat.com/errata/RHSA-2026:12423
• https://access.redhat.com/errata/RHSA-2026:12441
• https://access.redhat.com/errata/RHSA-2026:13285
• https://access.redhat.com/errata/RHSA-2026:14162
• https://access.redhat.com/errata/RHSA-2026:14937

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ReadFileUtf8 internal binding, which fails to clean up pointers in uv_fs_s.file. UTF-16 path buffers leak memory, which can lead to denial of service.

Note:

CVE-2025-23122 is a duplicate of this vulnerability.

Remediation

Upgrade node to version 20.19.2, 22.15.1 or higher.

References

• GitHub Commit
• Node.js Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the llhttp implementation, when handing HTTP/1 headers terminated with \r\n\rX instead of the required \r\n\r\n. This allows attackers to bypass proxy-based access controls and submit unauthorized requests.

Remediation

Upgrade node to version 20.19.2 or higher.

References

• GitHub Commit
• Node.js Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the V8 JavaScript engine due to the string hashing mechanism predictably hashing integer-like strings directly to their numeric values. An attacker can exploit this by sending maliciously crafted payloads containing many colliding strings to endpoints that process user input (most commonly via JSON.parse()). This causes massive hash collisions within V8's internal string table, drastically degrading the performance of the Node.js process and resulting in a Denial of Service (DoS).

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in HTTP/2 servers that triggers when a client sends WINDOW_UPDATE frames on stream 0 that cause the flow control window to exceed $2^{31}-1$. Although the server responds with a GOAWAY frame, it fails to properly clean up the Http2Session object. An unauthenticated remote attacker can exploit this by continuously opening connections and sending these crafted frames. This forces the server to leak memory indefinitely, eventually causing resource exhaustion and a Denial of Service (DoS).

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

References

• GitHub Commit
• Node.js Security Releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream pixman package and not the pixman package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.

Remediation

There is no fixed version for Ubuntu:24.04 pixman.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-37769
• https://gitlab.freedesktop.org/pixman/pixman/-/issues/76

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Observable Timing Discrepancy due to the crypto_hmac.cc module using memcmp(), a non-constant-time comparison function to validate user-provided HMAC signatures, rather than the timing-safe equivalents used elsewhere in the codebase. An attacker capable of taking high-resolution timing measurements can use the application as a timing oracle. Because the comparison leaks timing information proportional to the number of matching bytes, the attacker can iteratively infer the expected HMAC values, ultimately enabling them to forge valid Message Authentication Codes (MACs).

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:24.04 wget.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-31879
• https://security.netapp.com/advisory/ntap-20210618-0002/
• https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69651
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921
• https://sourceware.org/bugzilla/show_bug.cgi?id=33698
• https://sourceware.org/bugzilla/show_bug.cgi?id=33700
• https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739
• https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11495
• https://sourceware.org/bugzilla/attachment.cgi?id=16393
• https://sourceware.org/bugzilla/show_bug.cgi?id=33502
• https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0
• https://vuldb.com/?ctiid.327620
• https://vuldb.com/?id.327620
• https://vuldb.com/?submit.668290
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Ubuntu:24.04 expat.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66382
• https://github.com/libexpat/libexpat/issues/1076
• http://www.openwall.com/lists/oss-security/2025/12/02/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Ubuntu:24.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5704
• https://access.redhat.com/security/cve/CVE-2026-5704
• https://bugzilla.redhat.com/show_bug.cgi?id=2455360
• http://www.openwall.com/lists/oss-security/2026/04/11/10
• http://www.openwall.com/lists/oss-security/2026/04/11/11
• http://www.openwall.com/lists/oss-security/2026/04/12/2

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Incorrect Authorization in the permission model via the fs.futimes() function due to failing to check for write permissions. A process restricted to "read-only" access can still modify a file's access and modification timestamps. While it doesn't allow changing the file's content, it can be used to obscure malicious activity by tampering with audit logs or metadata.

Note:

This is only exploitable if the attacker already has the ability to execute code on the system (within the restricted Node.js environment).

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• Node.js Security Releases

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Missing Authorization via the fs.realpathSync.native() function. An attacker running malicious code within a restricted Node.js environment (where --allow-fs-read is intentionally limited) can exploit this missing check to verify file existence, resolve symlink targets, and enumerate paths outside of the permitted directories, leading to unauthorized information disclosure.

Remediation

Upgrade node to version 20.20.2, 22.22.2, 24.14.1, 25.8.2 or higher.

References

• GitHub Commit
• Node.js Security Releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for Ubuntu:24.04 gnupg2.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-68972
• https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
• https://news.ycombinator.com/item?id=46404339
• https://gpg.fail/formfeed

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69644
• https://sourceware.org/bugzilla/show_bug.cgi?id=33639
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69645
• https://sourceware.org/bugzilla/show_bug.cgi?id=33637
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69646
• https://sourceware.org/bugzilla/show_bug.cgi?id=33638
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69647
• https://sourceware.org/bugzilla/show_bug.cgi?id=33640
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69648
• https://sourceware.org/bugzilla/show_bug.cgi?id=33641
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69652
• https://sourceware.org/bugzilla/show_bug.cgi?id=33701
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5545

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-6253

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-6429

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-7168

NVD Description

Note: Versions mentioned in the description apply only to the upstream dpkg package and not the dpkg package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

Remediation

Upgrade Ubuntu:24.04 dpkg to version 1.22.6ubuntu6.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-2219
• https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
• https://bugs.debian.org/1129722

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4046
• https://sourceware.org/bugzilla/show_bug.cgi?id=33980
• https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD
• https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4437
• https://sourceware.org/bugzilla/show_bug.cgi?id=34014

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4438
• https://sourceware.org/bugzilla/show_bug.cgi?id=34015

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-33636
• https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
• https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
• https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, png_set_tRNS and png_set_PLTE each alias a heap-allocated buffer between png_struct and png_info, sharing a single allocation across two structs with independent lifetimes. The trans_alpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines png_set_tRNS sets png_ptr->trans_alpha = info_ptr->trans_alpha (256-byte buffer) and png_set_PLTE sets info_ptr->palette = png_ptr->palette (768-byte buffer). In both cases, calling png_free_data (with PNG_FREE_TRNS or PNG_FREE_PLTE) frees the buffer through info_ptr while the corresponding png_ptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to png_set_tRNS or png_set_PLTE has the same effect, because both functions call png_free_data internally before reallocating the info_ptr buffer. Version 1.6.56 fixes the issue.

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-33416
• https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
• https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
• https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
• https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
• https://github.com/pnggroup/libpng/pull/824
• https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-34757
• https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a
• https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc
• https://github.com/pnggroup/libpng/issues/836
• https://github.com/pnggroup/libpng/issues/837
• https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645
• https://lists.debian.org/debian-lts-announce/2026/05/msg00017.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2_session_terminate_session or nghttp2_session_terminate_session2 is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Remediation

Upgrade Ubuntu:24.04 nghttp2 to version 1.59.0-1ubuntu0.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-27135
• https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
• https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6
• http://www.openwall.com/lists/oss-security/2026/03/20/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.12 package and not the python3.12 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Remediation

There is no fixed version for Ubuntu:24.04 python3.12.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-13462
• https://github.com/python/cpython/issues/141707
• https://github.com/python/cpython/pull/143934
• https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/
• https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab
• https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017
• https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
• https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114
• https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.12 package and not the python3.12 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Remediation

There is no fixed version for Ubuntu:24.04 python3.12.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-2297
• https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e
• https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e
• https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86
• https://github.com/python/cpython/issues/145506
• https://github.com/python/cpython/pull/145507
• http://www.openwall.com/lists/oss-security/2026/03/05/6
• https://github.com/python/cpython/commit/69ddd9bb2cc4bd69b1565647c18659c6a789ccd9
• https://github.com/python/cpython/commit/876858c9f65d9ab656c7fa639f268ce7856d89dd

NVD Description

Note: Versions mentioned in the description apply only to the upstream sed package and not the sed package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:

1. resolves symlink to its target and stores the resolved path for determining when output is written,
2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.

This issue was fixed in version 4.10.

Remediation

Upgrade Ubuntu:24.04 sed to version 4.9-2ubuntu0.24.04.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5958
• https://cert.pl/en/posts/2026/04/CVE-2026-5958
• https://www.gnu.org/software/sed/

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:24.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
• https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
• https://www.gnu.org/software/tar/
• https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
• https://www.gnu.org/software/tar/manual/html_node/Integrity.html
• https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
• http://www.openwall.com/lists/oss-security/2025/11/01/6

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for Ubuntu:24.04 util-linux.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-27456
• https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4
• https://github.com/util-linux/util-linux/releases/tag/v2.41.4
• https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g