Vulnerability report for Docker rocker/shiny-verse:latest

Vulnerabilities	98 via 272 paths
Dependencies	419
Source	Docker
Target OS	ubuntu:24.04

Test your Docker Hub image against our market leading vulnerability database Sign up for free

Severity

Critical
1
High
7
Medium
57
Low
33

Status

Open
98
Patched
0
Ignored
0

OS binaries

critical severity

Race Condition

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Race Condition in the vm module with the timeout option. An attacker can access secrets like tokens or passwords to leak or cause data corruption by exploiting a race condition in buffer allocation logic that allows zero-fill toggle to remain disabled when vm module timeouts interrupt execution.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Race Condition vulnerability report

high severity

Uncaught Exception

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the SignTraits::DeriveBits() function, which incorrectly invokes ThrowException() based on user inputs when executing in a background thread. This allows an attacker to trigger a runtime crash.

Note: The cryptographic operations involved are commonly applied to untrusted input.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 20.19.2, 22.15.1, 23.11.1, 24.0.2 or higher.

References

Uncaught Exception vulnerability report

high severity

Uncaught Exception

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception due to the unhandled TLSSocket error ECONNRESET. An attacker can cause application crash by passing malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data.

Note:

This issue primary affects applications without explicit error handlers to secure sockets.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Uncaught Exception vulnerability report

high severity

Directory Traversal

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Directory Traversal in the path.join function. An attacker can bypass the path traversal protection and access restricted files by crafting specific path inputs that leverage Windows reserved driver names such as CON, PRN, and AUX.

Note: This issue only affects Windows systems and is a result of an incomplete fix for CVE-2025-23084

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade node to version 20.19.4, 22.17.1, 24.4.1 or higher.

References

Directory Traversal vulnerability report

high severity

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Vulnerable module: node
Introduced through: node@20.17.0
Fixed in: 20.20.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Reliance on Undefined, Unspecified, or Implementation-Defined Behavior due to a flaw in error handling when async_hooks (or AsyncLocalStorage) is enabled. Normally, a "Maximum call stack size exceeded" error (stack overflow) is catchable by try-catch blocks or uncaughtException handlers. However, if this error occurs while an async_hooks callback is on the stack (which happens frequently in frameworks like Next.js or when using APM tools), Node.js treats it as a fatal error. Remote attackers can trigger this crash by sending payloads that cause deep recursion (e.g., deeply nested JSON objects), leading to a Denial of Service.

Notes:

Node.js 24.x and 25.x are less affected if using only AsyncLocalStorage, as they use a newer V8 feature that avoids this hook mechanism;
The patch improves recoverability in one edge case, but it does not remove the broader risk. Recovery from space exhaustion is unspecified, best‑effort behavior and is not a reliable basis for availability or security.

PoC

import { createHook } from 'node:async_hooks';

// This simulates what APM tools do
createHook({ init() {} }).enable();

function recursive() {
  new Promise(() => {}); // Creates async context
  return recursive();
}

try {
  recursive();
} catch (err) {
  console.log('This never runs', err);
}

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior vulnerability report

high severity

Uncaught Exception

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the TLS module when a TLS server is configured with pskCallback or ALPNCallback. A remote attacker can crash or exhaust resources of a TLS server by sending input that causes the callback to throw an error.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Uncaught Exception vulnerability report

high severity

UNIX Symbolic Link (Symlink) Following

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following in the fs.symlink() function. An attacker can escape the allowed path and read/write sensitive files by chaining directories and symlinks, bypassing --allow-fs-read and --allow-fs-write restrictions.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

UNIX Symbolic Link (Symlink) Following vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: gnupg2/dirmngr
Introduced through: gnupg2/dirmngr@2.4.4-2ubuntu17.3, gnupg2/gpg-agent@2.4.4-2ubuntu17.3 and others
Fixed in: 2.4.4-2ubuntu17.4

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnupg2/dirmngr@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/gpg-agent@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/gpgv@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/keyboxd@2.4.4-2ubuntu17.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

Remediation

Upgrade Ubuntu:24.04 gnupg2 to version 2.4.4-2ubuntu17.4 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

new

Heap-based Buffer Overflow

Vulnerable module: libpng1.6/libpng-dev
Introduced through: libpng1.6/libpng-dev@1.6.43-5ubuntu0.1 and libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1
Fixed in: 1.6.43-5ubuntu0.5

Detailed paths

Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng-dev@1.6.43-5ubuntu0.1
Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.5 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libpng1.6/libpng-dev
Introduced through: libpng1.6/libpng-dev@1.6.43-5ubuntu0.1 and libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1
Fixed in: 1.6.43-5ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng-dev@1.6.43-5ubuntu0.1
Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.3 or higher.

References

Out-of-bounds Read vulnerability report

medium severity

Directory Traversal

Vulnerable module: pam/libpam-modules
Introduced through: pam/libpam-modules@1.5.3-5ubuntu5.5, pam/libpam-modules-bin@1.5.3-5ubuntu5.5 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › pam/libpam-modules@1.5.3-5ubuntu5.5
Introduced through: rocker/shiny-verse@latest › pam/libpam-modules-bin@1.5.3-5ubuntu5.5
Introduced through: rocker/shiny-verse@latest › pam/libpam-runtime@1.5.3-5ubuntu5.5
Introduced through: rocker/shiny-verse@latest › pam/libpam0g@1.5.3-5ubuntu5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Remediation

There is no fixed version for Ubuntu:24.04 pam.

References

Directory Traversal vulnerability report

medium severity

Memory Leak

Vulnerable module: freeglut/libglut3.12
Introduced through: freeglut/libglut3.12@3.4.0-1build1
Fixed in: 3.4.0-1ubuntu0.1~esm1

Detailed paths

Introduced through: rocker/shiny-verse@latest › freeglut/libglut3.12@3.4.0-1build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream freeglut package and not the freeglut package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function.

Remediation

Upgrade Ubuntu:24.04 freeglut to version 3.4.0-1ubuntu0.1~esm1 or higher.

References

Memory Leak vulnerability report

medium severity

Memory Leak

Vulnerable module: freeglut/libglut3.12
Introduced through: freeglut/libglut3.12@3.4.0-1build1
Fixed in: 3.4.0-1ubuntu0.1~esm1

Detailed paths

Introduced through: rocker/shiny-verse@latest › freeglut/libglut3.12@3.4.0-1build1

NVD Description

freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function.

Remediation

Upgrade Ubuntu:24.04 freeglut to version 3.4.0-1ubuntu0.1~esm1 or higher.

References

Memory Leak vulnerability report

medium severity

new

CVE-2026-21945

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.9+10-1~24.04
Fixed in: 21.0.10+7-1~24.04

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.9+10-1~24.04

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk-21 package and not the openjdk-21 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.10+7-1~24.04 or higher.

References

CVE-2026-21945 vulnerability report

medium severity

new

Out-of-bounds Read

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.10

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.12 package and not the python3.12 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.10 or higher.

References

Out-of-bounds Read vulnerability report

medium severity

new

CVE-2026-21932

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.9+10-1~24.04
Fixed in: 21.0.10+7-1~24.04

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.9+10-1~24.04

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.10+7-1~24.04 or higher.

References

CVE-2026-21932 vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libpng1.6/libpng-dev
Introduced through: libpng1.6/libpng-dev@1.6.43-5ubuntu0.1 and libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1
Fixed in: 1.6.43-5ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng-dev@1.6.43-5ubuntu0.1
Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.3 or higher.

References

Out-of-bounds Read vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ReadFileUtf8 internal binding, which fails to clean up pointers in uv_fs_s.file. UTF-16 path buffers leak memory, which can lead to denial of service.

Note:

CVE-2025-23122 is a duplicate of this vulnerability.

Remediation

Upgrade node to version 20.19.2, 22.15.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

HTTP Request Smuggling

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the llhttp implementation, when handing HTTP/1 headers terminated with \r\n\rX instead of the required \r\n\r\n. This allows attackers to bypass proxy-based access controls and submit unauthorized requests.

Remediation

Upgrade node to version 20.19.2 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

new

CVE-2026-21968

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2 and mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2
Fixed in: 8.0.45-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream mysql-8.0 package and not the mysql-8.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.45-0ubuntu0.24.04.1 or higher.

References

CVE-2026-21968 vulnerability report

medium severity

Divide By Zero

Vulnerable module: pixman/libpixman-1-0
Introduced through: pixman/libpixman-1-0@0.42.2-1build1 and pixman/libpixman-1-dev@0.42.2-1build1

Detailed paths

Introduced through: rocker/shiny-verse@latest › pixman/libpixman-1-0@0.42.2-1build1
Introduced through: rocker/shiny-verse@latest › pixman/libpixman-1-dev@0.42.2-1build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream pixman package and not the pixman package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.

Remediation

There is no fixed version for Ubuntu:24.04 pixman.

References

Divide By Zero vulnerability report

medium severity

new

CVE-2026-21933

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.9+10-1~24.04
Fixed in: 21.0.10+7-1~24.04

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.9+10-1~24.04

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.10+7-1~24.04 or higher.

References

CVE-2026-21933 vulnerability report

medium severity

Open Redirect

Vulnerable module: wget
Introduced through: wget@1.21.4-1ubuntu4.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › wget@1.21.4-1ubuntu4.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:24.04 wget.

References

Open Redirect vulnerability report

medium severity

Uncontrolled Recursion

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.3ubuntu3.6 and libxml2/libxml2-dev@2.9.14+dfsg-1.3ubuntu3.6
Fixed in: 2.9.14+dfsg-1.3ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › libxml2@2.9.14+dfsg-1.3ubuntu3.6
Introduced through: rocker/shiny-verse@latest › libxml2/libxml2-dev@2.9.14+dfsg-1.3ubuntu3.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Remediation

Upgrade Ubuntu:24.04 libxml2 to version 2.9.14+dfsg-1.3ubuntu3.7 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.8, binutils/binutils-common@2.42-4ubuntu2.8 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.8

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

Out-of-Bounds vulnerability report

medium severity

Algorithmic Complexity

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.6.1-2ubuntu0.3 and expat/libexpat1-dev@2.6.1-2ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › expat/libexpat1@2.6.1-2ubuntu0.3
Introduced through: rocker/shiny-verse@latest › expat/libexpat1-dev@2.6.1-2ubuntu0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Ubuntu:24.04 expat.

References

Algorithmic Complexity vulnerability report

medium severity

new

CVE-2025-13837

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.11 or higher.

References

CVE-2025-13837 vulnerability report

medium severity

new

Out-of-bounds Write

Vulnerable module: glib2.0/gir1.2-glib-2.0
Introduced through: glib2.0/gir1.2-glib-2.0@2.80.0-6ubuntu3.6, glib2.0/gir1.2-glib-2.0-dev@2.80.0-6ubuntu3.6 and others
Fixed in: 2.80.0-6ubuntu3.8

Detailed paths

Introduced through: rocker/shiny-verse@latest › glib2.0/gir1.2-glib-2.0@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/gir1.2-glib-2.0-dev@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libgirepository-2.0-0@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-0t64@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-bin@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-data@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-dev@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-dev-bin@2.80.0-6ubuntu3.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.

Remediation

Upgrade Ubuntu:24.04 glib2.0 to version 2.80.0-6ubuntu3.8 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

new

Algorithmic Complexity

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.4
Fixed in: 3.8.3-1.1ubuntu3.5

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.5 or higher.

References

Algorithmic Complexity vulnerability report

medium severity

new

CVE-2025-12084

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.11 or higher.

References

CVE-2025-12084 vulnerability report

medium severity

new

CVE-2026-21936

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2 and mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2
Fixed in: 8.0.45-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.45-0ubuntu0.24.04.1 or higher.

References

CVE-2026-21936 vulnerability report

medium severity

new

CVE-2026-21937

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2 and mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2
Fixed in: 8.0.45-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.45-0ubuntu0.24.04.1 or higher.

References

CVE-2026-21937 vulnerability report

medium severity

new

CVE-2026-21941

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2 and mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2
Fixed in: 8.0.45-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.45-0ubuntu0.24.04.1 or higher.

References

CVE-2026-21941 vulnerability report

medium severity

new

CVE-2026-21948

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2 and mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2
Fixed in: 8.0.45-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.45-0ubuntu0.24.04.1 or higher.

References

CVE-2026-21948 vulnerability report

medium severity

new

CVE-2026-21964

Vulnerable module: mysql-8.0/libmysqlclient-dev
Introduced through: mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2 and mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2
Fixed in: 8.0.45-0ubuntu0.24.04.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient-dev@8.0.44-0ubuntu0.24.04.2
Introduced through: rocker/shiny-verse@latest › mysql-8.0/libmysqlclient21@8.0.44-0ubuntu0.24.04.2

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Ubuntu:24.04 mysql-8.0 to version 8.0.45-0ubuntu0.24.04.1 or higher.

References

CVE-2026-21964 vulnerability report

medium severity

Incorrect Authorization

Vulnerable module: node
Introduced through: node@20.17.0

Detailed paths

Introduced through: docker-image|rocker/shiny-verse@latest › node@20.17.0

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Incorrect Authorization in the permission model via the fs.futimes() function due to failing to check for write permissions. A process restricted to "read-only" access can still modify a file's access and modification timestamps. While it doesn't allow changing the file's content, it can be used to obscure malicious activity by tampering with audit logs or metadata.

Note:

This is only exploitable if the attacker already has the ability to execute code on the system (within the restricted Node.js environment).

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

Incorrect Authorization vulnerability report

medium severity

new

CVE-2026-21925

Vulnerable module: openjdk-21/openjdk-21-jre-headless
Introduced through: openjdk-21/openjdk-21-jre-headless@21.0.9+10-1~24.04
Fixed in: 21.0.10+7-1~24.04

Detailed paths

Introduced through: rocker/shiny-verse@latest › openjdk-21/openjdk-21-jre-headless@21.0.9+10-1~24.04

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Ubuntu:24.04 openjdk-21 to version 21.0.10+7-1~24.04 or higher.

References

CVE-2026-21925 vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: gnupg2/dirmngr
Introduced through: gnupg2/dirmngr@2.4.4-2ubuntu17.3, gnupg2/gpg-agent@2.4.4-2ubuntu17.3 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnupg2/dirmngr@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/gpg-agent@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/gpgv@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/keyboxd@2.4.4-2ubuntu17.3

NVD Description

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for Ubuntu:24.04 gnupg2.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

new

Out-of-bounds Write

Vulnerable module: glib2.0/gir1.2-glib-2.0
Introduced through: glib2.0/gir1.2-glib-2.0@2.80.0-6ubuntu3.6, glib2.0/gir1.2-glib-2.0-dev@2.80.0-6ubuntu3.6 and others
Fixed in: 2.80.0-6ubuntu3.8

Detailed paths

Introduced through: rocker/shiny-verse@latest › glib2.0/gir1.2-glib-2.0@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/gir1.2-glib-2.0-dev@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libgirepository-2.0-0@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-0t64@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-bin@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-data@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-dev@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-dev-bin@2.80.0-6ubuntu3.6

NVD Description

A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.

Remediation

Upgrade Ubuntu:24.04 glib2.0 to version 2.80.0-6ubuntu3.8 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: glib2.0/gir1.2-glib-2.0
Introduced through: glib2.0/gir1.2-glib-2.0@2.80.0-6ubuntu3.6, glib2.0/gir1.2-glib-2.0-dev@2.80.0-6ubuntu3.6 and others
Fixed in: 2.80.0-6ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › glib2.0/gir1.2-glib-2.0@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/gir1.2-glib-2.0-dev@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libgirepository-2.0-0@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-0t64@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-bin@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-data@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-dev@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-dev-bin@2.80.0-6ubuntu3.6

NVD Description

A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).

Remediation

Upgrade Ubuntu:24.04 glib2.0 to version 2.80.0-6ubuntu3.7 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Uncontrolled Recursion

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.3ubuntu3.6 and libxml2/libxml2-dev@2.9.14+dfsg-1.3ubuntu3.6
Fixed in: 2.9.14+dfsg-1.3ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › libxml2@2.9.14+dfsg-1.3ubuntu3.6
Introduced through: rocker/shiny-verse@latest › libxml2/libxml2-dev@2.9.14+dfsg-1.3ubuntu3.6

NVD Description

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Remediation

Upgrade Ubuntu:24.04 libxml2 to version 2.9.14+dfsg-1.3ubuntu3.7 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.8, binutils/binutils-common@2.42-4ubuntu2.8 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.8

NVD Description

A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

Out-of-Bounds vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.3ubuntu3.6 and libxml2/libxml2-dev@2.9.14+dfsg-1.3ubuntu3.6
Fixed in: 2.9.14+dfsg-1.3ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › libxml2@2.9.14+dfsg-1.3ubuntu3.6
Introduced through: rocker/shiny-verse@latest › libxml2/libxml2-dev@2.9.14+dfsg-1.3ubuntu3.6

NVD Description

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Remediation

Upgrade Ubuntu:24.04 libxml2 to version 2.9.14+dfsg-1.3ubuntu3.7 or higher.

References

Resource Exhaustion vulnerability report

medium severity

new

Buffer Underflow

Vulnerable module: glib2.0/gir1.2-glib-2.0
Introduced through: glib2.0/gir1.2-glib-2.0@2.80.0-6ubuntu3.6, glib2.0/gir1.2-glib-2.0-dev@2.80.0-6ubuntu3.6 and others
Fixed in: 2.80.0-6ubuntu3.8

Detailed paths

Introduced through: rocker/shiny-verse@latest › glib2.0/gir1.2-glib-2.0@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/gir1.2-glib-2.0-dev@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libgirepository-2.0-0@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-0t64@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-bin@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-data@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-dev@2.80.0-6ubuntu3.6
Introduced through: rocker/shiny-verse@latest › glib2.0/libglib2.0-dev-bin@2.80.0-6ubuntu3.6

NVD Description

A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.

Remediation

Upgrade Ubuntu:24.04 glib2.0 to version 2.80.0-6ubuntu3.8 or higher.

References

Buffer Underflow vulnerability report

medium severity

new

NULL Pointer Dereference

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.6.1-2ubuntu0.3 and expat/libexpat1-dev@2.6.1-2ubuntu0.3
Fixed in: 2.6.1-2ubuntu0.4

Detailed paths

Introduced through: rocker/shiny-verse@latest › expat/libexpat1@2.6.1-2ubuntu0.3
Introduced through: rocker/shiny-verse@latest › expat/libexpat1-dev@2.6.1-2ubuntu0.3

NVD Description

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Remediation

Upgrade Ubuntu:24.04 expat to version 2.6.1-2ubuntu0.4 or higher.

References

NULL Pointer Dereference vulnerability report

medium severity

new

CVE-2025-14017

Vulnerable module: curl/libcurl4-openssl-dev
Introduced through: curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6 and curl/libcurl4t64@8.5.0-2ubuntu10.6
Fixed in: 8.5.0-2ubuntu10.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6
Introduced through: rocker/shiny-verse@latest › curl/libcurl4t64@8.5.0-2ubuntu10.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.

Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.

References

CVE-2025-14017 vulnerability report

medium severity

new

Integer Overflow or Wraparound

Vulnerable module: expat/libexpat1
Introduced through: expat/libexpat1@2.6.1-2ubuntu0.3 and expat/libexpat1-dev@2.6.1-2ubuntu0.3
Fixed in: 2.6.1-2ubuntu0.4

Detailed paths

Introduced through: rocker/shiny-verse@latest › expat/libexpat1@2.6.1-2ubuntu0.3
Introduced through: rocker/shiny-verse@latest › expat/libexpat1-dev@2.6.1-2ubuntu0.3

NVD Description

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Remediation

Upgrade Ubuntu:24.04 expat to version 2.6.1-2ubuntu0.4 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

new

CVE-2025-15281

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.6, glibc/libc-dev-bin@2.39-0ubuntu8.6 and others
Fixed in: 2.39-0ubuntu8.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Remediation

Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.

References

CVE-2025-15281 vulnerability report

medium severity

CVE-2026-0861

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.6, glibc/libc-dev-bin@2.39-0ubuntu8.6 and others
Fixed in: 2.39-0ubuntu8.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.6

NVD Description

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.

Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

Remediation

Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.

References

CVE-2026-0861 vulnerability report

medium severity

new

CVE-2026-0915

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.6, glibc/libc-dev-bin@2.39-0ubuntu8.6 and others
Fixed in: 2.39-0ubuntu8.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.6

NVD Description

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Remediation

Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.

References

CVE-2026-0915 vulnerability report

medium severity

new

CVE-2025-28162

Vulnerable module: libpng1.6/libpng-dev
Introduced through: libpng1.6/libpng-dev@1.6.43-5ubuntu0.1 and libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1
Fixed in: 1.6.43-5ubuntu0.4

Detailed paths

Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng-dev@1.6.43-5ubuntu0.1
Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1

NVD Description

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.4 or higher.

References

CVE-2025-28162 vulnerability report

medium severity

new

CVE-2025-28164

Vulnerable module: libpng1.6/libpng-dev
Introduced through: libpng1.6/libpng-dev@1.6.43-5ubuntu0.1 and libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1
Fixed in: 1.6.43-5ubuntu0.4

Detailed paths

Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng-dev@1.6.43-5ubuntu0.1
Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1

NVD Description

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.4 or higher.

References

CVE-2025-28164 vulnerability report

medium severity

CVE-2025-66293

Vulnerable module: libpng1.6/libpng-dev
Introduced through: libpng1.6/libpng-dev@1.6.43-5ubuntu0.1 and libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1
Fixed in: 1.6.43-5ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng-dev@1.6.43-5ubuntu0.1
Introduced through: rocker/shiny-verse@latest › libpng1.6/libpng16-16t64@1.6.43-5ubuntu0.1

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

Remediation

Upgrade Ubuntu:24.04 libpng1.6 to version 1.6.43-5ubuntu0.3 or higher.

References

CVE-2025-66293 vulnerability report

medium severity

new

CVE-2026-0964

Vulnerable module: libssh/libssh-4
Introduced through: libssh/libssh-4@0.10.6-2ubuntu0.2
Fixed in: 0.10.6-2ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libssh/libssh-4@0.10.6-2ubuntu0.2

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.

References

http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0964

CVE-2026-0964 vulnerability report

medium severity

new

CVE-2026-0967

Vulnerable module: libssh/libssh-4
Introduced through: libssh/libssh-4@0.10.6-2ubuntu0.2
Fixed in: 0.10.6-2ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libssh/libssh-4@0.10.6-2ubuntu0.2

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.

References

http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0967

CVE-2026-0967 vulnerability report

medium severity

new

CVE-2026-0968

Vulnerable module: libssh/libssh-4
Introduced through: libssh/libssh-4@0.10.6-2ubuntu0.2
Fixed in: 0.10.6-2ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libssh/libssh-4@0.10.6-2ubuntu0.2

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.

References

http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0968

CVE-2026-0968 vulnerability report

medium severity

new

Out-of-bounds Write

Vulnerable module: libtasn1-6
Introduced through: libtasn1-6@4.19.0-3ubuntu0.24.04.1
Fixed in: 4.19.0-3ubuntu0.24.04.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › libtasn1-6@4.19.0-3ubuntu0.24.04.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Remediation

Upgrade Ubuntu:24.04 libtasn1-6 to version 4.19.0-3ubuntu0.24.04.2 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

CVE-2025-15467

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others
Fixed in: 3.0.13-0ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.

Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.

When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

References

CVE-2025-15467 vulnerability report

medium severity

new

CVE-2025-11468

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.11 or higher.

References

CVE-2025-11468 vulnerability report

medium severity

new

CVE-2025-15282

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.11 or higher.

References

CVE-2025-15282 vulnerability report

medium severity

new

CVE-2025-15366

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.11 or higher.

References

CVE-2025-15366 vulnerability report

medium severity

new

CVE-2025-15367

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.11 or higher.

References

CVE-2025-15367 vulnerability report

medium severity

new

CVE-2026-0672

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.11 or higher.

References

CVE-2026-0672 vulnerability report

medium severity

new

CVE-2026-0865

Vulnerable module: python3.12
Introduced through: python3.12@3.12.3-1ubuntu0.9, python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9 and others
Fixed in: 3.12.3-1ubuntu0.11

Detailed paths

Introduced through: rocker/shiny-verse@latest › python3.12@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-minimal@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/libpython3.12-stdlib@3.12.3-1ubuntu0.9
Introduced through: rocker/shiny-verse@latest › python3.12/python3.12-minimal@3.12.3-1ubuntu0.9

NVD Description

User-controlled header names and values containing newlines can allow injecting HTTP headers.

Remediation

Upgrade Ubuntu:24.04 python3.12 to version 3.12.3-1ubuntu0.11 or higher.

References

CVE-2026-0865 vulnerability report

medium severity

Directory Traversal

Vulnerable module: tar
Introduced through: tar@1.35+dfsg-3build1

Detailed paths

Introduced through: rocker/shiny-verse@latest › tar@1.35+dfsg-3build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:24.04 tar.

References

Directory Traversal vulnerability report

low severity

Out-of-Bounds

Vulnerable module: elfutils/libelf1t64
Introduced through: elfutils/libelf1t64@0.190-1.1ubuntu0.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › elfutils/libelf1t64@0.190-1.1ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream elfutils package and not the elfutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Ubuntu:24.04 elfutils.

References

Out-of-Bounds vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.39-0ubuntu8.6, glibc/libc-dev-bin@2.39-0ubuntu8.6 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › glibc/libc-bin@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc-dev-bin@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc6@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/libc6-dev@2.39-0ubuntu8.6
Introduced through: rocker/shiny-verse@latest › glibc/locales@2.39-0ubuntu8.6

NVD Description

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Remediation

There is no fixed version for Ubuntu:24.04 glibc.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

CVE-2025-69421

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others
Fixed in: 3.0.13-0ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function.

Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files.

The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure.

Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

References

CVE-2025-69421 vulnerability report

low severity

Buffer Overflow

Vulnerable module: icu/icu-devtools
Introduced through: icu/icu-devtools@74.2-1ubuntu3.1, icu/libicu-dev@74.2-1ubuntu3.1 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › icu/icu-devtools@74.2-1ubuntu3.1
Introduced through: rocker/shiny-verse@latest › icu/libicu-dev@74.2-1ubuntu3.1
Introduced through: rocker/shiny-verse@latest › icu/libicu74@74.2-1ubuntu3.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream icu package and not the icu package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.

Remediation

There is no fixed version for Ubuntu:24.04 icu.

References

Buffer Overflow vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.18.0-3build1, cairo/libcairo-script-interpreter2@1.18.0-3build1 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › cairo/libcairo-gobject2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo-script-interpreter2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2-dev@1.18.0-3build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream cairo package and not the cairo package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).

Remediation

There is no fixed version for Ubuntu:24.04 cairo.

References

Out-of-bounds Write vulnerability report

low severity

Reachable Assertion

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.18.0-3build1, cairo/libcairo-script-interpreter2@1.18.0-3build1 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › cairo/libcairo-gobject2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo-script-interpreter2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2-dev@1.18.0-3build1

NVD Description

An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.

Remediation

There is no fixed version for Ubuntu:24.04 cairo.

References

Reachable Assertion vulnerability report

low severity

Improper Input Validation

Vulnerable module: coreutils
Introduced through: coreutils@9.4-3ubuntu6.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › coreutils@9.4-3ubuntu6.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Ubuntu:24.04 coreutils.

References

Improper Input Validation vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.8, binutils/binutils-common@2.42-4ubuntu2.8 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.8

NVD Description

The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: cairo/libcairo-gobject2
Introduced through: cairo/libcairo-gobject2@1.18.0-3build1, cairo/libcairo-script-interpreter2@1.18.0-3build1 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › cairo/libcairo-gobject2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo-script-interpreter2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2@1.18.0-3build1
Introduced through: rocker/shiny-verse@latest › cairo/libcairo2-dev@1.18.0-3build1

NVD Description

Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.

Remediation

There is no fixed version for Ubuntu:24.04 cairo.

References

NULL Pointer Dereference vulnerability report

low severity

Improper Resource Shutdown or Release

Vulnerable module: elfutils/libelf1t64
Introduced through: elfutils/libelf1t64@0.190-1.1ubuntu0.1

Detailed paths

Introduced through: rocker/shiny-verse@latest › elfutils/libelf1t64@0.190-1.1ubuntu0.1

NVD Description

A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Ubuntu:24.04 elfutils.

References

Improper Resource Shutdown or Release vulnerability report

low severity

new

Stack-based Buffer Overflow

Vulnerable module: gnutls28/libgnutls30t64
Introduced through: gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.4
Fixed in: 3.8.3-1.1ubuntu3.5

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnutls28/libgnutls30t64@3.8.3-1.1ubuntu3.4

NVD Description

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.

Remediation

Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.5 or higher.

References

Stack-based Buffer Overflow vulnerability report

low severity

Memory Leak

Vulnerable module: binutils
Introduced through: binutils@2.42-4ubuntu2.8, binutils/binutils-common@2.42-4ubuntu2.8 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › binutils@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/binutils-common@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/binutils-x86-64-linux-gnu@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libbinutils@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libctf-nobfd0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libctf0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libgprofng0@2.42-4ubuntu2.8
Introduced through: rocker/shiny-verse@latest › binutils/libsframe1@2.42-4ubuntu2.8

NVD Description

A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Remediation

There is no fixed version for Ubuntu:24.04 binutils.

References

Memory Leak vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: gnupg2/dirmngr
Introduced through: gnupg2/dirmngr@2.4.4-2ubuntu17.3, gnupg2/gpg-agent@2.4.4-2ubuntu17.3 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › gnupg2/dirmngr@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/gpg-agent@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/gpgv@2.4.4-2ubuntu17.3
Introduced through: rocker/shiny-verse@latest › gnupg2/keyboxd@2.4.4-2ubuntu17.3

NVD Description

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for Ubuntu:24.04 gnupg2.

References

Out-of-bounds Write vulnerability report

low severity

Improper Resource Shutdown or Release

Vulnerable module: libxml2
Introduced through: libxml2@2.9.14+dfsg-1.3ubuntu3.6 and libxml2/libxml2-dev@2.9.14+dfsg-1.3ubuntu3.6
Fixed in: 2.9.14+dfsg-1.3ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › libxml2@2.9.14+dfsg-1.3ubuntu3.6
Introduced through: rocker/shiny-verse@latest › libxml2/libxml2-dev@2.9.14+dfsg-1.3ubuntu3.6

NVD Description

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Remediation

Upgrade Ubuntu:24.04 libxml2 to version 2.9.14+dfsg-1.3ubuntu3.7 or higher.

References

Improper Resource Shutdown or Release vulnerability report

low severity

new

Memory Leak

Vulnerable module: libssh/libssh-4
Introduced through: libssh/libssh-4@0.10.6-2ubuntu0.2
Fixed in: 0.10.6-2ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libssh/libssh-4@0.10.6-2ubuntu0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.

Remediation

Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.

References

Memory Leak vulnerability report

low severity

CVE-2025-0167

Vulnerable module: curl/libcurl4-openssl-dev
Introduced through: curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6 and curl/libcurl4t64@8.5.0-2ubuntu10.6

Detailed paths

Introduced through: rocker/shiny-verse@latest › curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6
Introduced through: rocker/shiny-verse@latest › curl/libcurl4t64@8.5.0-2ubuntu10.6

NVD Description

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.

Remediation

There is no fixed version for Ubuntu:24.04 curl.

References

CVE-2025-0167 vulnerability report

low severity

CVE-2025-10148

Vulnerable module: curl/libcurl4-openssl-dev
Introduced through: curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6 and curl/libcurl4t64@8.5.0-2ubuntu10.6
Fixed in: 8.5.0-2ubuntu10.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6
Introduced through: rocker/shiny-verse@latest › curl/libcurl4t64@8.5.0-2ubuntu10.6

NVD Description

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.

References

CVE-2025-10148 vulnerability report

low severity

CVE-2025-14819

Vulnerable module: curl/libcurl4-openssl-dev
Introduced through: curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6 and curl/libcurl4t64@8.5.0-2ubuntu10.6
Fixed in: 8.5.0-2ubuntu10.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6
Introduced through: rocker/shiny-verse@latest › curl/libcurl4t64@8.5.0-2ubuntu10.6

NVD Description

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.

References

CVE-2025-14819 vulnerability report

low severity

CVE-2025-15079

Vulnerable module: curl/libcurl4-openssl-dev
Introduced through: curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6 and curl/libcurl4t64@8.5.0-2ubuntu10.6
Fixed in: 8.5.0-2ubuntu10.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6
Introduced through: rocker/shiny-verse@latest › curl/libcurl4t64@8.5.0-2ubuntu10.6

NVD Description

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.

References

CVE-2025-15079 vulnerability report

low severity

CVE-2025-15224

Vulnerable module: curl/libcurl4-openssl-dev
Introduced through: curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6 and curl/libcurl4t64@8.5.0-2ubuntu10.6
Fixed in: 8.5.0-2ubuntu10.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6
Introduced through: rocker/shiny-verse@latest › curl/libcurl4t64@8.5.0-2ubuntu10.6

NVD Description

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.

References

CVE-2025-15224 vulnerability report

low severity

Open Redirect

Vulnerable module: curl/libcurl4-openssl-dev
Introduced through: curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6 and curl/libcurl4t64@8.5.0-2ubuntu10.6
Fixed in: 8.5.0-2ubuntu10.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › curl/libcurl4-openssl-dev@8.5.0-2ubuntu10.6
Introduced through: rocker/shiny-verse@latest › curl/libcurl4t64@8.5.0-2ubuntu10.6

NVD Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Remediation

Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.

References

Open Redirect vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: harfbuzz/gir1.2-harfbuzz-0.0
Introduced through: harfbuzz/gir1.2-harfbuzz-0.0@8.3.0-2build2, harfbuzz/libharfbuzz-cairo0@8.3.0-2build2 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › harfbuzz/gir1.2-harfbuzz-0.0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-cairo0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-dev@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-gobject0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-icu0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz-subset0@8.3.0-2build2
Introduced through: rocker/shiny-verse@latest › harfbuzz/libharfbuzz0b@8.3.0-2build2

NVD Description

Note: Versions mentioned in the description apply only to the upstream harfbuzz package and not the harfbuzz package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.

Remediation

There is no fixed version for Ubuntu:24.04 harfbuzz.

References

NULL Pointer Dereference vulnerability report

low severity

Covert Timing Channel

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.10.3-2build1

Detailed paths

Introduced through: rocker/shiny-verse@latest › libgcrypt20@1.10.3-2build1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Ubuntu:24.04 libgcrypt20.

References

Covert Timing Channel vulnerability report

low severity

new

CVE-2026-0965

Vulnerable module: libssh/libssh-4
Introduced through: libssh/libssh-4@0.10.6-2ubuntu0.2
Fixed in: 0.10.6-2ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libssh/libssh-4@0.10.6-2ubuntu0.2

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.

References

http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0965

CVE-2026-0965 vulnerability report

low severity

new

CVE-2026-0966

Vulnerable module: libssh/libssh-4
Introduced through: libssh/libssh-4@0.10.6-2ubuntu0.2
Fixed in: 0.10.6-2ubuntu0.3

Detailed paths

Introduced through: rocker/shiny-verse@latest › libssh/libssh-4@0.10.6-2ubuntu0.2

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.

References

http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0966

CVE-2026-0966 vulnerability report

low severity

CVE-2024-41996

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

Remediation

There is no fixed version for Ubuntu:24.04 openssl.

References

CVE-2024-41996 vulnerability report

low severity

CVE-2025-68160

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others
Fixed in: 3.0.13-0ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write.

Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application.

The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

References

CVE-2025-68160 vulnerability report

low severity

CVE-2025-69418

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others
Fixed in: 3.0.13-0ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Issue summary: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. Impact summary: The trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag, allowing an attacker to read or tamper with those bytes without detection. The low-level OCB encrypt and decrypt routines in the hardware-accelerated stream path process full 16-byte blocks but do not advance the input/output pointers. The subsequent tail-handling code then operates on the original base pointers, effectively reprocessing the beginning of the buffer while leaving the actual trailing bytes unprocessed. The authentication checksum also excludes the true tail bytes. However, typical OpenSSL consumers using EVP are not affected because the higher-level EVP and provider OCB implementations split inputs so that full blocks and trailing partial blocks are processed in separate calls, avoiding the problematic code path. Additionally, TLS does not use OCB ciphersuites. The vulnerability only affects applications that call the low-level CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with non-block-aligned lengths in a single call on hardware-accelerated builds. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as OCB mode is not a FIPS-approved algorithm. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

References

CVE-2025-69418 vulnerability report

low severity

CVE-2025-69419

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others
Fixed in: 3.0.13-0ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer.

Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service.

The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer.

The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

References

CVE-2025-69419 vulnerability report

low severity

CVE-2025-69420

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others
Fixed in: 3.0.13-0ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file.

Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

References

CVE-2025-69420 vulnerability report

low severity

CVE-2026-22795

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others
Fixed in: 3.0.13-0ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.

Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service.

A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read.

The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

References

CVE-2026-22795 vulnerability report

low severity

CVE-2026-22796

Vulnerable module: openssl
Introduced through: openssl@3.0.13-0ubuntu3.6, openssl/libssl-dev@3.0.13-0ubuntu3.6 and others
Fixed in: 3.0.13-0ubuntu3.7

Detailed paths

Introduced through: rocker/shiny-verse@latest › openssl@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl-dev@3.0.13-0ubuntu3.6
Introduced through: rocker/shiny-verse@latest › openssl/libssl3t64@3.0.13-0ubuntu3.6

NVD Description

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data.

Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

References

CVE-2026-22796 vulnerability report

low severity

CVE-2024-56433

Vulnerable module: shadow/login
Introduced through: shadow/login@1:4.13+dfsg1-4ubuntu3.2 and shadow/passwd@1:4.13+dfsg1-4ubuntu3.2

Detailed paths

Introduced through: rocker/shiny-verse@latest › shadow/login@1:4.13+dfsg1-4ubuntu3.2
Introduced through: rocker/shiny-verse@latest › shadow/passwd@1:4.13+dfsg1-4ubuntu3.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Ubuntu:24.04 shadow.

References

CVE-2024-56433 vulnerability report

Vulnerabilities

Dependencies

Source

Target OS

critical severity

Race Condition

Detailed paths

Overview

Remediation

References

high severity

Uncaught Exception

Detailed paths

Overview

Details

Remediation

References

high severity

Uncaught Exception

Detailed paths

Overview

Remediation

References

high severity

Directory Traversal

Detailed paths

Overview

Details

Remediation

References

high severity

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Detailed paths

Overview

PoC

Remediation

References

high severity

Uncaught Exception

Detailed paths

Overview

Remediation

References

high severity

UNIX Symbolic Link (Symlink) Following

Detailed paths

Overview

Remediation

References

high severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

medium severity new

Heap-based Buffer Overflow

Detailed paths

NVD Description

Remediation

References

medium severity

Out-of-bounds Read

Detailed paths

NVD Description

Remediation

References

medium severity

Directory Traversal

Detailed paths

NVD Description

Remediation

References

medium severity

Memory Leak

Detailed paths

NVD Description

Remediation

References

medium severity

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new