Canonical Linux software
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Canonical product.
RSS Feeds for Canonical security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Canonical products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Canonical Sorted by Most Security Vulnerabilities since 2018
Recent Canonical Security Advisories
| Advisory | Title | Published |
|---|---|---|
| USN-8477-2 | USN-8477-2: tar regression | July 16, 2026 |
| USN-8557-1 | USN-8557-1: Authlib vulnerabilities | July 16, 2026 |
| USN-8556-1 | USN-8556-1: Ruby vulnerabilities | July 16, 2026 |
| USN-8555-1 | USN-8555-1: Ubuntu Advantage Tools (pro client) vulnerabilities | July 16, 2026 |
| USN-8554-1 | USN-8554-1: NTFS-3G vulnerabilities | July 16, 2026 |
| USN-8553-1 | USN-8553-1: .NET vulnerabilities | July 15, 2026 |
| USN-8552-1 | USN-8552-1: Sympa vulnerability | July 15, 2026 |
| USN-8551-1 | USN-8551-1: Tomcat vulnerabilities | July 15, 2026 |
| USN-8550-1 | USN-8550-1: libslirp vulnerability | July 15, 2026 |
| USN-8549-1 | USN-8549-1: idna vulnerability | July 15, 2026 |
By the Year
In 2026 there have been 1607 vulnerabilities in Canonical with an average score of 7.1 out of ten. Last year, in 2025 Canonical had 2902 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Canonical in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.80.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1607 | 7.13 |
| 2025 | 2902 | 6.33 |
| 2024 | 3590 | 6.40 |
| 2023 | 1085 | 6.86 |
| 2022 | 1210 | 6.98 |
| 2021 | 774 | 6.87 |
| 2020 | 766 | 6.24 |
| 2019 | 796 | 6.99 |
| 2018 | 931 | 7.10 |
It may take a day or so for new Canonical vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Canonical Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-12391 | Jul 16, 2026 |
Ubuntu Pro Client: Insecure Symlink Follow leads to Info DisclosureAn insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets. |
|
| CVE-2026-11386 | Jul 16, 2026 |
Ubuntu-Pro-Client Root Priv Escalation via APT Source InjectionAn input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] fieldwhich is passed positionally into a root-executed apt-get install commandan attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images. |
|
| CVE-2026-9494 | Jul 16, 2026 |
Info Disclosure in Canonical Ubuntu Pro Client via Cleartext TokenAn information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories. |
|
| CVE-2026-3842 | Jul 16, 2026 |
QEMU OOB Write via cpu_physical_mem Map Length MismatchA flaw was found in QEMU. This vulnerability allows a local attacker within a guest virtual machine to write data beyond its allocated memory. This occurs when cpu_physical_memory_map() returns a shorter length than expected, leading to an out-of-bounds write. Successful exploitation could result in unauthorized access to guest memory or corruption of heap-allocated objects, potentially causing information disclosure, data integrity issues, or a denial of service. |
|
| CVE-2026-50659 | Jul 14, 2026 |
Jul 2026: .NET Spoofing VulnerabilityImproper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network. |
|
| CVE-2026-50651 | Jul 14, 2026 |
Jul 2026: .NET Denial of Service VulnerabilityAllocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-50648 | Jul 14, 2026 |
Jul 2026: .NET Framework Denial of Service VulnerabilityAllocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-50528 | Jul 14, 2026 |
Jul 2026: .NET Security Feature Bypass VulnerabilityIncorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network. |
|
| CVE-2026-50527 | Jul 14, 2026 |
Jul 2026: .NET Framework Denial of Service VulnerabilityStack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-50526 | Jul 14, 2026 |
Jul 2026: .NET Tampering VulnerabilityImproper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally. |
|
| CVE-2026-50524 | Jul 14, 2026 |
Jul 2026: .NET Framework Denial of Service VulnerabilityImproper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-50525 | Jul 14, 2026 |
Jul 2026: .NET Denial of Service VulnerabilityAllocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-47304 | Jul 14, 2026 |
Jul 2026: .NET Security Feature Bypass VulnerabilityImproper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network. |
|
| CVE-2026-47303 | Jul 14, 2026 |
Jul 2026: ASP.NET Core Elevation of Privilege VulnerabilityAuthentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network. |
|
| CVE-2026-47302 | Jul 14, 2026 |
Jul 2026: .NET Denial of Service VulnerabilityAllocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-47300 | Jul 14, 2026 |
Jul 2026: ASP.NET Core Elevation of Privilege VulnerabilityIncorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network. |
|
| CVE-2026-57108 | Jul 14, 2026 |
Jul 2026: .NET Denial of Service VulnerabilityAccess of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-59856 | Jul 09, 2026 |
Vim 9.2.0736 PHP Omni-Completion Open Shell via win_executeVim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736. |
|
| CVE-2026-59858 | Jul 09, 2026 |
Vim <9.2.0735: Command Injection via C omnicompletion tagsVim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735. |
|
| CVE-2026-59857 | Jul 09, 2026 |
Vim <9.2.0725: spell_soundfold_sal Buffer Overwrite CVE-2026-59857Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725. |
|
| CVE-2026-10037 | Jul 08, 2026 |
OpenJDK Sandbox Escape via .jar MIME Handler on UbuntuA sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via xdg-desktop-portal-gtk can write a malicious .jar file to the host file system, set its executable bit, and trigger the handler to execute arbitrary code outside of the sandbox environment. |
|
| CVE-2026-60002 | Jul 08, 2026 |
OpenSSH <=10.3 Use-After-Free via Host Key Change (ssh)ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.) |
|
| CVE-2026-60001 | Jul 08, 2026 |
OpenSSH sshd min auth delay bypass before 10.4sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay. |
|
| CVE-2026-60000 | Jul 08, 2026 |
OpenSSH <10.4 GSSAPI MaxAuthTries DoSsshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication. |
|
| CVE-2026-59999 | Jul 08, 2026 |
OpenSSH<10.4 DisableForwarding fails to block PermitTunnelIn sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not. |
|
| CVE-2026-59998 | Jul 08, 2026 |
OpenSSH sshd GSSAPIStrictAcceptorCheck Misconfig Pre-10.4 on ADsshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory. |
|
| CVE-2026-59997 | Jul 08, 2026 |
OpenSSH <=10.3 internal-sftp accepts only first 9 argsinternal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection. |
|
| CVE-2026-59996 | Jul 08, 2026 |
OpenSSH <10.4 SCP Path Traversal Remote Files Pushed to Parent Directoryscp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations. |
|
| CVE-2026-59995 | Jul 08, 2026 |
OpenSSH SFTP Server Path Constraint Flaw <10.4sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server. |
|
| CVE-2026-58472 | Jul 07, 2026 |
Heap Buffer Overflow in GNU Wget 1.25.0 html_quote_string() (convert.c)GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase. |
|
| CVE-2026-58471 | Jul 07, 2026 |
GNU Wget 1.25.0 Heap Buffer Overflow (convert_fname)GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response. |
|
| CVE-2026-58470 | Jul 07, 2026 |
Wget 1.25.0 Integer Overflow in parse_content_range()GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client. |
|
| CVE-2026-58469 | Jul 07, 2026 |
GNU Wget <1.25.0 Heap Buffer Underread in clean_metalink_stringGNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior. |
|
| CVE-2026-13122 | Jul 06, 2026 |
OpenVPN 2.6.0-2.6.20/2.7.0-2.7.4 Remote DoS via Malformed Auth TokenOpenVPN version 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers to cause a denial of service via a malformed authentication token that triggers a reachable assertion when external-auth is enabled |
|
| CVE-2026-13698 | Jul 06, 2026 |
OpenVPN 2.5.0-2.5.11/2.6.0-2.6.20/2.7.0-2.7.4 memory leak permits DoSA memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service |
|
| CVE-2026-9547 | Jul 03, 2026 |
libcurl SSH Key Type Mismatch Allows Silent MITM via CURLOPT_SSH_KEYFUNCTIONWhen a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack. |
|
| CVE-2026-9545 | Jul 03, 2026 |
libcurl HTTP/3 session resumption EarlyData info leakIn this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information. |
|
| CVE-2026-9080 | Jul 03, 2026 |
libcurl UAF via curl_easy_pause() in SOCKETFUNCTIONCalling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed. |
|
| CVE-2026-9079 | Jul 03, 2026 |
Privilege Esc Escalation: libcurl Fails to Clear Proxy Auth Credentialslibcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them. |
|
| CVE-2026-8927 | Jul 03, 2026 |
libcurl: Proxy Auth Leakage on Reused HandlesWhen reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`. |
|
| CVE-2026-8926 | Jul 03, 2026 |
curl Credential Inference via .netrc/Username MismatchWhen asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user. |
|
| CVE-2026-8925 | Jul 03, 2026 |
cURL doublefree via GSASL context cleanup bugThe curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice. |
|
| CVE-2026-8924 | Jul 03, 2026 |
Curl Cookie Parsing Vulnerability: Super Cookies Bypass PSLA flaw in curls cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains. |
|
| CVE-2026-8458 | Jul 03, 2026 |
libcurl Negotiate Authentication Connection Reuse Flawlibcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services. |
|
| CVE-2026-8286 | Jul 03, 2026 |
CURL STARTTLS Connection Reuse with TLS MismatchA vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not. |
|
| CVE-2026-12064 | Jul 03, 2026 |
cURL SSH Host Verification Bypass via Schemaless URL & --proto-defaultWhen a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error. |
|
| CVE-2026-11586 | Jul 03, 2026 |
curl Unbounded WebSocket PING Memory ExhaustionBy default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages. |
|
| CVE-2026-11564 | Jul 03, 2026 |
libcurl CA Trust Leakage via Persistent Connection Poollibcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer. |
|
| CVE-2026-11352 | Jul 03, 2026 |
Curl QUIC HTTP/3 UDP DoS from Empty Datagram AbuseAn issue in curls QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client. |
|
| CVE-2026-10536 | Jul 03, 2026 |
Use-After-Free in libcurl during cleanup after stream-dependency resetA use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation. |
|