Canonical Linux software

Recent Canonical Security Advisories

By the Year

In 2026 there have been 238 vulnerabilities in Canonical with an average score of 6.1 out of ten. Last year, in 2025 Canonical had 2855 security vulnerabilities published. Right now, Canonical is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 0.17

Recent Canonical Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-32694	Mar 18, 2026	Juju 3.0.0-3.6.18 Secret XID Predictability Exploit In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
CVE-2026-32693	Mar 18, 2026	Juju <3.6.18 Unauthorized secretupdate via secretset tool (CVE-2026-32693) In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
CVE-2026-32692	Mar 18, 2026	Juju 3.1.6-3.6.18 Auth Bypass: Vault Secrets Rev Update Vulnerability An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.
CVE-2026-32691	Mar 18, 2026	Juju 3.0.0-3.6.18 Authenticated Unit Agent Race Condition Allows Secret Theft A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
CVE-2026-3888	Mar 17, 2026	Priv Escalation in snapd via /tmp Recreation (Ubuntu 16.04-24.04) Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
CVE-2026-3497	Mar 12, 2026	OpenSSH GSSAPI: Uninitialized Variables via sshpkt_disconnect Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.	Ubuntu Linux
CVE-2026-28384	Mar 12, 2026	LXD 4.12-6.6 Improper sanitization of compression_algorithm allows exec An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.	Lxd
CVE-2026-3805	Mar 11, 2026	curl SMB UAF: freed memory used on repeated request When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.	Ubuntu Linux
CVE-2026-3784	Mar 11, 2026	CURL: Improper HTTP Proxy Connection Reuse with Different Credentials curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.	Ubuntu Linux
CVE-2026-3783	Mar 11, 2026	curl HTTP Redirect Leaks OAuth2 Bearer Token When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.	Ubuntu Linux
CVE-2026-1965	Mar 11, 2026	libcurl Negotiate Auth Reuse Vulnerability: Wrong Credential Leak libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).	Ubuntu Linux
CVE-2026-26130	Mar 10, 2026	Mar 2026: ASP.NET Core Denial of Service Vulnerability Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.	Ubuntu Linux
CVE-2026-26127	Mar 10, 2026	Mar 2026: .NET Denial of Service Vulnerability Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.	Ubuntu Linux
CVE-2025-13350	Mar 05, 2026	Ubuntu 6.8 Kernel: AF_UNIX UAF in legacy GC LPE Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Dont call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privilege escalation (LPE) caused by a use-after-free (UAF). Ubuntu builds that have already taken the new GC stack from commit 4090fa373f0e, and mainline Linux kernels shipping that infrastructure are unaffected because they no longer execute the legacy collector path. This issue affects Ubuntu Linux from 6.8.0-56.58 before 6.8.0-84.84.	Ubuntu Linux
CVE-2026-3351	Mar 03, 2026	LXD 6.6 ImpAuth: Enumerate Cert FP via GET /1.0/certificates Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.	Lxd
CVE-2026-25884	Mar 02, 2026	Exiv2 OOB Read in CRW Parser (<=0.28.7), Fixed in 0.28.8 Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8.	Ubuntu Linux
CVE-2026-27596	Mar 02, 2026	Exiv2 OOB Read in Preview (-pp) fixed in 0.28.8 Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8.	Ubuntu Linux
CVE-2026-27631	Mar 02, 2026	Exiv2 C++ Preview Component Integer Overflow CVE202627631 (Fixed in 0.28.8) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8.	Ubuntu Linux
CVE-2026-28422	Feb 27, 2026	Vim <9.2.0078: stack-buffer-overflow in statusline rendering Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.	Ubuntu Linux
CVE-2026-28421	Feb 27, 2026	Vim <9.2.0077: Heap Buffer Overflow in Swap Recovery Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.	Ubuntu Linux
CVE-2026-28420	Feb 27, 2026	Vim <9.2.0076 Heap OOB Buf Read/Write via Max Unicode Combining Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.	Ubuntu Linux
CVE-2026-28419	Feb 27, 2026	Vim 9.2.0075: Heap Buffer Underflow in Emacs-Style Tags Parsing Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.	Ubuntu Linux
CVE-2026-28418	Feb 27, 2026	Vim<9.2.0074 Heap Buffer Overflow via Emacs-Style Tags Parsing Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.	Ubuntu Linux
CVE-2026-28417	Feb 27, 2026	Vim 9.2.0072 netrw CMD-INJ via scp:// Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.	Ubuntu Linux
CVE-2026-26284	Feb 24, 2026	ImageMagick PCD Huffman OOB Read Fixed in 7.1.2-15/6.9.13-40 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.	Ubuntu Linux
CVE-2026-25987	Feb 24, 2026	ImageMagick MAP Decoder Heap Buffer Over-read (CVE-2026-25987) before 7.1.2-15 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding. Versions 7.1.2-15 and 6.9.13-40 contain a patch.	Ubuntu Linux
CVE-2026-25986	Feb 24, 2026	ImageMagick 7.1.2-14 heap overflow in ReadYUVImage() YUV 4:2:2 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer. Versions 7.1.2-15 and 6.9.13-40 contain a patch.	Ubuntu Linux
CVE-2026-25983	Feb 24, 2026	ImageMagick <7.1.2-15 heap UAF via crafted MSL script ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch.	Ubuntu Linux
CVE-2026-25968	Feb 24, 2026	ImageMagick stack buffer overflow (msl.c) before 7.1.2-15/6.9.13-40 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. Versions 7.1.2-15 and 6.9.13-40 contain a patch.	Ubuntu Linux
CVE-2026-25898	Feb 24, 2026	ImageMagick 7.1.2-15/6.9.13-40 UI/XPM Index Overflow Crash ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.	Ubuntu Linux
CVE-2026-25897	Feb 24, 2026	ImageMagick Integer Overflow in sun decoder pre7.1.215/6.9.1340 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.	Ubuntu Linux
CVE-2026-21863	Feb 23, 2026	Valkey <=9.0.2 Clusterbus OOB Read Crash Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.	Ubuntu Linux
CVE-2025-67733	Feb 23, 2026	Valkey Lua Script Null Byte Injection CVE-2025-67733 - Fixed 9.0.2, 8.1.6, 8.0.7 Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.	Ubuntu Linux
CVE-2026-0665	Feb 18, 2026	QEMU KVM Xen Guest Off-By-One heap OOB access in Xen physdev An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.	Ubuntu Linux
CVE-2025-14876	Feb 18, 2026	QEMU virtio-crypto AKCIPHER DoS via unchecked memory allocation A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.	Ubuntu Linux
CVE-2025-10256	Feb 18, 2026	FFmpeg Firequalizer NULL Pointer Deref Leading to DoS A NULL pointer dereference vulnerability exists in FFmpegs Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.	Ubuntu Linux
CVE-2026-25500	Feb 18, 2026	Rack 2.2.22 / 3.1.20 / 3.2.5 Fixed XSS in Directory Index via javascript: links Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.	Ubuntu Linux
CVE-2026-22860	Feb 18, 2026	Rack::Directory Path Escape Prior to 2.2.22/3.1.20/3.2.5 Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.	Ubuntu Linux
CVE-2026-23207	Feb 14, 2026	Linux Kernel TEGRA210 QSPI curr_xfer race causes NULL deref In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin_lock() t = tqspi->curr_xfer // NULL! ... t->len ... // NULL dereference! With this patch, all curr_xfer accesses are now properly synchronized. Although all accesses to curr_xfer are done under the lock, in tegra_qspi_isr_thread() it checks for NULL, releases the lock and reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer(). There is a potential for an update in between, which could cause a NULL pointer dereference. To handle this, add a NULL check inside the handlers after acquiring the lock. This ensures that if the timeout path has already cleared curr_xfer, the handler will safely return without dereferencing the NULL pointer.	Ubuntu Linux
CVE-2026-23202	Feb 14, 2026	Linux Kernel SPI tegra210-Quad curr_xfer Race Leading to Null Deref In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field. Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free.	Ubuntu Linux
CVE-2026-26269	Feb 13, 2026	Vim <9.1.2148: NetBeans specialKeys Stack Buffer Overflow Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.	Ubuntu Linux
CVE-2026-2005	Feb 12, 2026	Heap Buffer Overflow in PostgreSQL pgcrypto (pre 18.2/17.8/16.12/15.16/14.21) OS Exploit Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.	Ubuntu Linux
CVE-2026-2006	Feb 12, 2026	PostgreSQL Buffer Overrun via Char Valid. (18.2/17.8/16.12/15.16/14.21) Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.	Ubuntu Linux
CVE-2026-2004	Feb 12, 2026	PostgreSQL intarray RCE before 18.2/17.8/16.12/15.16/14.21 Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.	Ubuntu Linux
CVE-2026-2003	Feb 12, 2026	PostgreSQL <18.2 Improper oidvector Validation Server Memory Disclosure Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.	Ubuntu Linux
CVE-2026-25646	Feb 10, 2026	LibPNG 1.6.55-Pre: OOB Read in png_set_quantize() w/ no hist leads to infinite loop LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.	Ubuntu Linux
CVE-2026-25934	Feb 09, 2026	Go-git <5.16.5 Integrity Check Failure (.pack/.idx) go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.	Ubuntu Linux
CVE-2026-24684	Feb 09, 2026	FreeRDP <3.22.0 Use-After-Free in RDPSND Async Playback FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.	Ubuntu Linux
CVE-2026-24683	Feb 09, 2026	FreeRDP <3.22.0 Use-After-Free via unsynchronized channel_callback FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.	Ubuntu Linux
CVE-2026-24682	Feb 09, 2026	FreeRDP BFA in audin_server_recv_formats pre 3.22.0 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, audin_server_recv_formats frees an incorrect number of audio formats on parse failure (i + i), leading to out-of-bounds access in audio_formats_free. This vulnerability is fixed in 3.22.0.	Ubuntu Linux