Vulnerability report for Docker ubuntu:latest

Vulnerabilities	50 via 91 paths
Dependencies	87
Source	Docker
Target OS	ubuntu:26.04

Test your Docker Hub image against our market leading vulnerability database Sign up for free

Severity

Critical
High
1
Medium
36
Low
13

Status

Open
50
Patched
0
Ignored
0

high severity

new

CVE-2026-45447

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.

Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution.

When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition.

In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution.

Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-45447 vulnerability report

medium severity

CVE-2026-35373

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35373 vulnerability report

medium severity

Unrestricted Upload of File with Dangerous Type

Vulnerable module: tar
Introduced through: tar@1.35+dfsg-4

Detailed paths

Introduced through: ubuntu@latest › tar@1.35+dfsg-4

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Ubuntu:26.04 tar.

References

Unrestricted Upload of File with Dangerous Type vulnerability report

medium severity

Authentication Bypass

Vulnerable module: util-linux
Introduced through: util-linux@2.41.3-3ubuntu2, util-linux/bsdutils@1:2.41.3-3ubuntu2 and others

Detailed paths

Introduced through: ubuntu@latest › util-linux@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/bsdutils@1:2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/libblkid1@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/libmount1@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/libsmartcols1@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/libuuid1@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/login@1:4.16.0-2+really2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/mount@2.41.3-3ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in util-linux. Improper hostname canonicalization in the login(1) utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAM_RHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Remediation

There is no fixed version for Ubuntu:26.04 util-linux.

References

Authentication Bypass vulnerability report

medium severity

CVE-2026-4046

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.43-2ubuntu2, glibc/libc-gconv-modules-extra@2.43-2ubuntu2 and others

Detailed paths

Introduced through: ubuntu@latest › glibc/libc-bin@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc-gconv-modules-extra@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc6@2.43-2ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

CVE-2026-4046 vulnerability report

medium severity

CVE-2026-4437

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.43-2ubuntu2, glibc/libc-gconv-modules-extra@2.43-2ubuntu2 and others

Detailed paths

Introduced through: ubuntu@latest › glibc/libc-bin@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc-gconv-modules-extra@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc6@2.43-2ubuntu2

NVD Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

CVE-2026-4437 vulnerability report

medium severity

CVE-2026-4438

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.43-2ubuntu2, glibc/libc-gconv-modules-extra@2.43-2ubuntu2 and others

Detailed paths

Introduced through: ubuntu@latest › glibc/libc-bin@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc-gconv-modules-extra@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc6@2.43-2ubuntu2

NVD Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

CVE-2026-4438 vulnerability report

medium severity

new

CVE-2026-5435

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.43-2ubuntu2, glibc/libc-gconv-modules-extra@2.43-2ubuntu2 and others

Detailed paths

Introduced through: ubuntu@latest › glibc/libc-bin@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc-gconv-modules-extra@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc6@2.43-2ubuntu2

NVD Description

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

CVE-2026-5435 vulnerability report

medium severity

new

CVE-2026-6238

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.43-2ubuntu2, glibc/libc-gconv-modules-extra@2.43-2ubuntu2 and others

Detailed paths

Introduced through: ubuntu@latest › glibc/libc-bin@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc-gconv-modules-extra@2.43-2ubuntu2
Introduced through: ubuntu@latest › glibc/libc6@2.43-2ubuntu2

NVD Description

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.

These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

CVE-2026-6238 vulnerability report

medium severity

new

Out-of-bounds Write

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.12.0-2
Fixed in: 1.12.0-2ubuntu0.1

Detailed paths

Introduced through: ubuntu@latest › libgcrypt20@1.12.0-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Remediation

Upgrade Ubuntu:26.04 libgcrypt20 to version 1.12.0-2ubuntu0.1 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.12.0-2
Fixed in: 1.12.0-2ubuntu0.1

Detailed paths

Introduced through: ubuntu@latest › libgcrypt20@1.12.0-2

NVD Description

Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.

Remediation

Upgrade Ubuntu:26.04 libgcrypt20 to version 1.12.0-2ubuntu0.1 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

new

CVE-2026-34182

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises.

Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message.

In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message.

An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success.

If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message.

In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content.

The FIPS modules are not affected by this issue.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-34182 vulnerability report

medium severity

new

CVE-2026-34183

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames.

Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service.

A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-34183 vulnerability report

medium severity

new

CVE-2026-42764

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled.

Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service.

If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token.

By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-42764 vulnerability report

medium severity

new

CVE-2026-45445

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded.

Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message.

OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV.

If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair.

The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-45445 vulnerability report

medium severity

CVE-2026-35341

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35341 vulnerability report

medium severity

CVE-2026-35344

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35344 vulnerability report

medium severity

CVE-2026-35345

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35345 vulnerability report

medium severity

CVE-2026-35348

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35348 vulnerability report

medium severity

CVE-2026-35350

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35350 vulnerability report

medium severity

CVE-2026-35351

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35351 vulnerability report

medium severity

CVE-2026-35352

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35352 vulnerability report

medium severity

CVE-2026-35354

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35354 vulnerability report

medium severity

CVE-2026-35357

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35357 vulnerability report

medium severity

CVE-2026-35359

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35359 vulnerability report

medium severity

CVE-2026-35360

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35360 vulnerability report

medium severity

CVE-2026-35363

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35363 vulnerability report

medium severity

CVE-2026-35364

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35364 vulnerability report

medium severity

CVE-2026-35367

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35367 vulnerability report

medium severity

CVE-2026-35368

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35368 vulnerability report

medium severity

CVE-2026-35370

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35370 vulnerability report

medium severity

CVE-2026-35371

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35371 vulnerability report

medium severity

CVE-2026-35374

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35374 vulnerability report

medium severity

CVE-2026-35377

Vulnerable module: rust-coreutils
Introduced through: rust-coreutils@0.8.0-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › rust-coreutils@0.8.0-0ubuntu3

NVD Description

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \ and '). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

CVE-2026-35377 vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: sed
Introduced through: sed@4.9-2build3
Fixed in: 4.9-2ubuntu1

Detailed paths

Introduced through: ubuntu@latest › sed@4.9-2build3

NVD Description

Note: Versions mentioned in the description apply only to the upstream sed package and not the sed package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:

resolves symlink to its target and stores the resolved path for determining when output is written,
opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.

This issue was fixed in version 4.10.

Remediation

Upgrade Ubuntu:26.04 sed to version 4.9-2ubuntu1 or higher.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

Directory Traversal

Vulnerable module: tar
Introduced through: tar@1.35+dfsg-4

Detailed paths

Introduced through: ubuntu@latest › tar@1.35+dfsg-4

NVD Description

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:26.04 tar.

References

Directory Traversal vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: util-linux
Introduced through: util-linux@2.41.3-3ubuntu2, util-linux/bsdutils@1:2.41.3-3ubuntu2 and others

Detailed paths

Introduced through: ubuntu@latest › util-linux@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/bsdutils@1:2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/libblkid1@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/libmount1@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/libsmartcols1@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/libuuid1@2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/login@1:4.16.0-2+really2.41.3-3ubuntu2
Introduced through: ubuntu@latest › util-linux/mount@2.41.3-3ubuntu2

NVD Description

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for Ubuntu:26.04 util-linux.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

low severity

new

Incorrect Resource Transfer Between Spheres

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@259.5-0ubuntu3 and systemd/libudev1@259.5-0ubuntu3

Detailed paths

Introduced through: ubuntu@latest › systemd/libsystemd0@259.5-0ubuntu3
Introduced through: ubuntu@latest › systemd/libudev1@259.5-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

Remediation

There is no fixed version for Ubuntu:26.04 systemd.

References

Incorrect Resource Transfer Between Spheres vulnerability report

low severity

Covert Timing Channel

Vulnerable module: libgcrypt20
Introduced through: libgcrypt20@1.12.0-2

Detailed paths

Introduced through: ubuntu@latest › libgcrypt20@1.12.0-2

NVD Description

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Ubuntu:26.04 libgcrypt20.

References

Covert Timing Channel vulnerability report

low severity

new

CVE-2026-34180

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms.

Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated.

An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer.

Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-34180 vulnerability report

low severity

new

CVE-2026-34181

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery.

Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability.

If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker.

The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-34181 vulnerability report

low severity

new

CVE-2026-42766

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service.

The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present.

An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service.

Applications that process password-encrypted CMS messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-42766 vulnerability report

low severity

new

CVE-2026-42767

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application.

Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service.

An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client.

Applications that process untrusted CMP/CRMF messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-42767 vulnerability report

low severity

new

CVE-2026-42768

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output.

Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key.

The attack is possible in 2 variants.

The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success.

An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available.

That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it.

When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted.

An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle.

We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity.

To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled.

The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption.

The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-42768 vulnerability report

low severity

new

CVE-2026-42769

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level.

Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate.

One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one.

The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code).

An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor.

Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity.

The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-42769 vulnerability report

low severity

new

CVE-2026-42770

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership.

Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts.

When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared.

A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack).

The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-42770 vulnerability report

low severity

new

CVE-2026-45446

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages.

Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers.

AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, EVP_DecryptFinal_ex() is documented to return success only if the tag is verified succesfully.

In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls EVP_DecryptFinal_ex() without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value.

When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key.

AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2.

No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-45446 vulnerability report

low severity

new

CVE-2026-7383

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow.

Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour.

In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation.

X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-7383 vulnerability report

low severity

new

CVE-2026-9076

Vulnerable module: openssl/libssl3t64
Introduced through: openssl/libssl3t64@3.5.5-1ubuntu3 and openssl/openssl-provider-legacy@3.5.5-1ubuntu3
Fixed in: 3.5.5-1ubuntu3.2

Detailed paths

Introduced through: ubuntu@latest › openssl/libssl3t64@3.5.5-1ubuntu3
Introduced through: ubuntu@latest › openssl/openssl-provider-legacy@3.5.5-1ubuntu3

NVD Description

Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key().

Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker.

The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen.

Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds.

The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator.

The FIPS modules are not affected by this issue.

Remediation

Upgrade Ubuntu:26.04 openssl to version 3.5.5-1ubuntu3.2 or higher.

References

CVE-2026-9076 vulnerability report

low severity

CVE-2024-56433

Vulnerable module: shadow/login.defs
Introduced through: shadow/login.defs@1:4.17.4-2ubuntu3 and shadow/passwd@1:4.17.4-2ubuntu3

Detailed paths

Introduced through: ubuntu@latest › shadow/login.defs@1:4.17.4-2ubuntu3
Introduced through: ubuntu@latest › shadow/passwd@1:4.17.4-2ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Ubuntu:26.04 shadow.

References

CVE-2024-56433 vulnerability report

Vulnerabilities

Dependencies

Source

Target OS

high severity new

CVE-2026-45447

Detailed paths

NVD Description

Remediation

References

medium severity

CVE-2026-35373

Detailed paths

NVD Description

Remediation

References

medium severity

Unrestricted Upload of File with Dangerous Type

Detailed paths

NVD Description

Remediation

References

medium severity

Authentication Bypass

Detailed paths

NVD Description

Remediation

References

medium severity

CVE-2026-4046

Detailed paths

NVD Description

Remediation

References

medium severity

CVE-2026-4437

Detailed paths

NVD Description

Remediation

References

medium severity

CVE-2026-4438

Detailed paths

NVD Description

Remediation

References

medium severity new

CVE-2026-5435

Detailed paths

NVD Description

Remediation

References

medium severity new

CVE-2026-6238

Detailed paths

NVD Description

Remediation

References

medium severity new

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

medium severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

medium severity new

CVE-2026-34182

Detailed paths

NVD Description

Remediation

References

medium severity new

CVE-2026-34183

Detailed paths

NVD Description

high severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new

medium severity

new