Canonical Canonical Linux software

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Canonical product.

RSS Feeds for Canonical security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Canonical products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Canonical Sorted by Most Security Vulnerabilities since 2018

Canonical Ubuntu Linux14822 vulnerabilities
Linux Operating System

Canonical Lxd19 vulnerabilities

Canonical Snapd17 vulnerabilities

Canonical Apport15 vulnerabilities

Canonical Cloud Init7 vulnerabilities

Canonical Netplan1 vulnerability

Canonical Juju1 vulnerability

Canonical Anbox Cloud1 vulnerability

Recent Canonical Security Advisories

Advisory Title Published
USN-8477-2 USN-8477-2: tar regression July 16, 2026
USN-8557-1 USN-8557-1: Authlib vulnerabilities July 16, 2026
USN-8556-1 USN-8556-1: Ruby vulnerabilities July 16, 2026
USN-8555-1 USN-8555-1: Ubuntu Advantage Tools (pro client) vulnerabilities July 16, 2026
USN-8554-1 USN-8554-1: NTFS-3G vulnerabilities July 16, 2026
USN-8553-1 USN-8553-1: .NET vulnerabilities July 15, 2026
USN-8552-1 USN-8552-1: Sympa vulnerability July 15, 2026
USN-8551-1 USN-8551-1: Tomcat vulnerabilities July 15, 2026
USN-8550-1 USN-8550-1: libslirp vulnerability July 15, 2026
USN-8549-1 USN-8549-1: idna vulnerability July 15, 2026

By the Year

In 2026 there have been 1607 vulnerabilities in Canonical with an average score of 7.1 out of ten. Last year, in 2025 Canonical had 2902 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Canonical in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.80.




Year Vulnerabilities Average Score
2026 1607 7.13
2025 2902 6.33
2024 3590 6.40
2023 1085 6.86
2022 1210 6.98
2021 774 6.87
2020 766 6.24
2019 796 6.99
2018 931 7.10

It may take a day or so for new Canonical vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Canonical Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-12391 Jul 16, 2026
Ubuntu Pro Client: Insecure Symlink Follow leads to Info Disclosure An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.
Ubuntu Linux
CVE-2026-11386 Jul 16, 2026
Ubuntu-Pro-Client Root Priv Escalation via APT Source Injection An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] fieldwhich is passed positionally into a root-executed apt-get install commandan attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
Ubuntu Linux
CVE-2026-9494 Jul 16, 2026
Info Disclosure in Canonical Ubuntu Pro Client via Cleartext Token An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.
Ubuntu Linux
CVE-2026-3842 Jul 16, 2026
QEMU OOB Write via cpu_physical_mem Map Length Mismatch A flaw was found in QEMU. This vulnerability allows a local attacker within a guest virtual machine to write data beyond its allocated memory. This occurs when cpu_physical_memory_map() returns a shorter length than expected, leading to an out-of-bounds write. Successful exploitation could result in unauthorized access to guest memory or corruption of heap-allocated objects, potentially causing information disclosure, data integrity issues, or a denial of service.
Ubuntu Linux
CVE-2026-50659 Jul 14, 2026
Jul 2026: .NET Spoofing Vulnerability Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network.
Ubuntu Linux
CVE-2026-50651 Jul 14, 2026
Jul 2026: .NET Denial of Service Vulnerability Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Ubuntu Linux
CVE-2026-50648 Jul 14, 2026
Jul 2026: .NET Framework Denial of Service Vulnerability Allocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network.
Ubuntu Linux
CVE-2026-50528 Jul 14, 2026
Jul 2026: .NET Security Feature Bypass Vulnerability Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network.
Ubuntu Linux
CVE-2026-50527 Jul 14, 2026
Jul 2026: .NET Framework Denial of Service Vulnerability Stack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network.
Ubuntu Linux
CVE-2026-50526 Jul 14, 2026
Jul 2026: .NET Tampering Vulnerability Improper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally.
Ubuntu Linux
CVE-2026-50524 Jul 14, 2026
Jul 2026: .NET Framework Denial of Service Vulnerability Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network.
Ubuntu Linux
CVE-2026-50525 Jul 14, 2026
Jul 2026: .NET Denial of Service Vulnerability Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Ubuntu Linux
CVE-2026-47304 Jul 14, 2026
Jul 2026: .NET Security Feature Bypass Vulnerability Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network.
Ubuntu Linux
CVE-2026-47303 Jul 14, 2026
Jul 2026: ASP.NET Core Elevation of Privilege Vulnerability Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Ubuntu Linux
CVE-2026-47302 Jul 14, 2026
Jul 2026: .NET Denial of Service Vulnerability Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Ubuntu Linux
CVE-2026-47300 Jul 14, 2026
Jul 2026: ASP.NET Core Elevation of Privilege Vulnerability Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Ubuntu Linux
CVE-2026-57108 Jul 14, 2026
Jul 2026: .NET Denial of Service Vulnerability Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network.
Ubuntu Linux
CVE-2026-59856 Jul 09, 2026
Vim 9.2.0736 PHP Omni-Completion Open Shell via win_execute Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.
Ubuntu Linux
CVE-2026-59858 Jul 09, 2026
Vim <9.2.0735: Command Injection via C omnicompletion tags Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.
Ubuntu Linux
CVE-2026-59857 Jul 09, 2026
Vim <9.2.0725: spell_soundfold_sal Buffer Overwrite CVE-2026-59857 Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.
Ubuntu Linux
CVE-2026-10037 Jul 08, 2026
OpenJDK Sandbox Escape via .jar MIME Handler on Ubuntu A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via xdg-desktop-portal-gtk can write a malicious .jar file to the host file system, set its executable bit, and trigger the handler to execute arbitrary code outside of the sandbox environment.
CVE-2026-60002 Jul 08, 2026
OpenSSH <=10.3 Use-After-Free via Host Key Change (ssh) ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
Ubuntu Linux
CVE-2026-60001 Jul 08, 2026
OpenSSH sshd min auth delay bypass before 10.4 sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
Ubuntu Linux
CVE-2026-60000 Jul 08, 2026
OpenSSH <10.4 GSSAPI MaxAuthTries DoS sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
Ubuntu Linux
CVE-2026-59999 Jul 08, 2026
OpenSSH<10.4 DisableForwarding fails to block PermitTunnel In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
Ubuntu Linux
CVE-2026-59998 Jul 08, 2026
OpenSSH sshd GSSAPIStrictAcceptorCheck Misconfig Pre-10.4 on AD sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
Ubuntu Linux
CVE-2026-59997 Jul 08, 2026
OpenSSH <=10.3 internal-sftp accepts only first 9 args internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
Ubuntu Linux
CVE-2026-59996 Jul 08, 2026
OpenSSH <10.4 SCP Path Traversal Remote Files Pushed to Parent Directory scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
Ubuntu Linux
CVE-2026-59995 Jul 08, 2026
OpenSSH SFTP Server Path Constraint Flaw <10.4 sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
Ubuntu Linux
CVE-2026-58472 Jul 07, 2026
Heap Buffer Overflow in GNU Wget 1.25.0 html_quote_string() (convert.c) GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.
Ubuntu Linux
CVE-2026-58471 Jul 07, 2026
GNU Wget 1.25.0 Heap Buffer Overflow (convert_fname) GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
Ubuntu Linux
CVE-2026-58470 Jul 07, 2026
Wget 1.25.0 Integer Overflow in parse_content_range() GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.
Ubuntu Linux
CVE-2026-58469 Jul 07, 2026
GNU Wget <1.25.0 Heap Buffer Underread in clean_metalink_string GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
Ubuntu Linux
CVE-2026-13122 Jul 06, 2026
OpenVPN 2.6.0-2.6.20/2.7.0-2.7.4 Remote DoS via Malformed Auth Token OpenVPN version 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers to cause a denial of service via a malformed authentication token that triggers a reachable assertion when external-auth is enabled
Ubuntu Linux
CVE-2026-13698 Jul 06, 2026
OpenVPN 2.5.0-2.5.11/2.6.0-2.6.20/2.7.0-2.7.4 memory leak permits DoS A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service
Ubuntu Linux
CVE-2026-9547 Jul 03, 2026
libcurl SSH Key Type Mismatch Allows Silent MITM via CURLOPT_SSH_KEYFUNCTION When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
Ubuntu Linux
CVE-2026-9545 Jul 03, 2026
libcurl HTTP/3 session resumption EarlyData info leak In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.
Ubuntu Linux
CVE-2026-9080 Jul 03, 2026
libcurl UAF via curl_easy_pause() in SOCKETFUNCTION Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.
Ubuntu Linux
CVE-2026-9079 Jul 03, 2026
Privilege Esc Escalation: libcurl Fails to Clear Proxy Auth Credentials libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
Ubuntu Linux
CVE-2026-8927 Jul 03, 2026
libcurl: Proxy Auth Leakage on Reused Handles When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
Ubuntu Linux
CVE-2026-8926 Jul 03, 2026
curl Credential Inference via .netrc/Username Mismatch When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.
Ubuntu Linux
CVE-2026-8925 Jul 03, 2026
cURL doublefree via GSASL context cleanup bug The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.
Ubuntu Linux
CVE-2026-8924 Jul 03, 2026
Curl Cookie Parsing Vulnerability: Super Cookies Bypass PSL A flaw in curls cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
Ubuntu Linux
CVE-2026-8458 Jul 03, 2026
libcurl Negotiate Authentication Connection Reuse Flaw libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
Ubuntu Linux
CVE-2026-8286 Jul 03, 2026
CURL STARTTLS Connection Reuse with TLS Mismatch A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
Ubuntu Linux
CVE-2026-12064 Jul 03, 2026
cURL SSH Host Verification Bypass via Schemaless URL & --proto-default When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.
Ubuntu Linux
CVE-2026-11586 Jul 03, 2026
curl Unbounded WebSocket PING Memory Exhaustion By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
Ubuntu Linux
CVE-2026-11564 Jul 03, 2026
libcurl CA Trust Leakage via Persistent Connection Pool libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
Ubuntu Linux
CVE-2026-11352 Jul 03, 2026
Curl QUIC HTTP/3 UDP DoS from Empty Datagram Abuse An issue in curls QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
Ubuntu Linux
CVE-2026-10536 Jul 03, 2026
Use-After-Free in libcurl during cleanup after stream-dependency reset A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
Ubuntu Linux
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.