Canonical Ubuntu Linux Linux Operating System
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Canonical Ubuntu Linux.
Recent Canonical Ubuntu Linux Security Advisories
| Advisory | Title | Published |
|---|---|---|
| USN-8477-2 | USN-8477-2: tar regression | July 16, 2026 |
| USN-8557-1 | USN-8557-1: Authlib vulnerabilities | July 16, 2026 |
| USN-8556-1 | USN-8556-1: Ruby vulnerabilities | July 16, 2026 |
| USN-8555-1 | USN-8555-1: Ubuntu Advantage Tools (pro client) vulnerabilities | July 16, 2026 |
| USN-8554-1 | USN-8554-1: NTFS-3G vulnerabilities | July 16, 2026 |
| USN-8553-1 | USN-8553-1: .NET vulnerabilities | July 15, 2026 |
| USN-8552-1 | USN-8552-1: Sympa vulnerability | July 15, 2026 |
| USN-8551-1 | USN-8551-1: Tomcat vulnerabilities | July 15, 2026 |
| USN-8550-1 | USN-8550-1: libslirp vulnerability | July 15, 2026 |
| USN-8549-1 | USN-8549-1: idna vulnerability | July 15, 2026 |
By the Year
In 2026 there have been 1580 vulnerabilities in Canonical Ubuntu Linux with an average score of 7.1 out of ten. Last year, in 2025 Ubuntu Linux had 2890 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Ubuntu Linux in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.78.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1580 | 7.11 |
| 2025 | 2890 | 6.33 |
| 2024 | 3583 | 6.40 |
| 2023 | 1080 | 6.86 |
| 2022 | 1210 | 6.98 |
| 2021 | 751 | 6.87 |
| 2020 | 753 | 6.23 |
| 2019 | 793 | 6.98 |
| 2018 | 929 | 7.10 |
It may take a day or so for new Ubuntu Linux vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Canonical Ubuntu Linux Security Vulnerabilities
Ubuntu Pro Client: Insecure Symlink Follow leads to Info Disclosure
CVE-2026-12391
5 - Medium
- July 16, 2026
An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.
insecure temporary file
Ubuntu-Pro-Client Root Priv Escalation via APT Source Injection
CVE-2026-11386
9 - Critical
- July 16, 2026
An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] fieldwhich is passed positionally into a root-executed apt-get install commandan attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
Improper Input Validation
Info Disclosure in Canonical Ubuntu Pro Client via Cleartext Token
CVE-2026-9494
5.5 - Medium
- July 16, 2026
An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.
Invocation of Process Using Visible Sensitive Information
QEMU OOB Write via cpu_physical_mem Map Length Mismatch
CVE-2026-3842
7.8 - High
- July 16, 2026
A flaw was found in QEMU. This vulnerability allows a local attacker within a guest virtual machine to write data beyond its allocated memory. This occurs when cpu_physical_memory_map() returns a shorter length than expected, leading to an out-of-bounds write. Successful exploitation could result in unauthorized access to guest memory or corruption of heap-allocated objects, potentially causing information disclosure, data integrity issues, or a denial of service.
Memory Corruption
Jul 2026: .NET Spoofing Vulnerability
CVE-2026-50659
6.5 - Medium
- July 14, 2026
Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network.
Output Sanitization
Jul 2026: .NET Denial of Service Vulnerability
CVE-2026-50651
7.5 - High
- July 14, 2026
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Allocation of Resources Without Limits or Throttling
Jul 2026: .NET Framework Denial of Service Vulnerability
CVE-2026-50648
7.5 - High
- July 14, 2026
Allocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network.
Allocation of Resources Without Limits or Throttling
Jul 2026: .NET Security Feature Bypass Vulnerability
CVE-2026-50528
8.2 - High
- July 14, 2026
Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network.
AuthZ
Jul 2026: .NET Framework Denial of Service Vulnerability
CVE-2026-50527
7.5 - High
- July 14, 2026
Stack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network.
Stack Overflow
Jul 2026: .NET Tampering Vulnerability
CVE-2026-50526
7 - High
- July 14, 2026
Improper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally.
insecure temporary file
Jul 2026: .NET Denial of Service Vulnerability
CVE-2026-50525
7.5 - High
- July 14, 2026
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Allocation of Resources Without Limits or Throttling
Jul 2026: .NET Framework Denial of Service Vulnerability
CVE-2026-50524
7.5 - High
- July 14, 2026
Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network.
Improper Validation of Specified Type of Input
Jul 2026: .NET Security Feature Bypass Vulnerability
CVE-2026-47304
8.1 - High
- July 14, 2026
Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network.
Improper Verification of Cryptographic Signature
Jul 2026: ASP.NET Core Elevation of Privilege Vulnerability
CVE-2026-47303
8.8 - High
- July 14, 2026
Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Authentication Bypass by Assumed-Immutable Data
Jul 2026: .NET Denial of Service Vulnerability
CVE-2026-47302
7.5 - High
- July 14, 2026
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Allocation of Resources Without Limits or Throttling
Jul 2026: ASP.NET Core Elevation of Privilege Vulnerability
CVE-2026-47300
8.8 - High
- July 14, 2026
Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Incorrect Implementation of Authentication Algorithm
Jul 2026: .NET Denial of Service Vulnerability
CVE-2026-57108
7.5 - High
- July 14, 2026
Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network.
Object Type Confusion
Vim 9.2.0736 PHP Omni-Completion Open Shell via win_execute
CVE-2026-59856
- July 09, 2026
Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.
Code Injection
Vim <9.2.0735: Command Injection via C omnicompletion tags
CVE-2026-59858
- July 09, 2026
Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.
Code Injection
Vim <9.2.0725: spell_soundfold_sal Buffer Overwrite CVE-2026-59857
CVE-2026-59857
- July 09, 2026
Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.
Memory Corruption
OpenSSH <=10.3 Use-After-Free via Host Key Change (ssh)
CVE-2026-60002
7.7 - High
- July 08, 2026
ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
Dangling pointer
OpenSSH sshd min auth delay bypass before 10.4
CVE-2026-60001
6.5 - Medium
- July 08, 2026
sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
Allocation of Resources Without Limits or Throttling
OpenSSH <10.4 GSSAPI MaxAuthTries DoS
CVE-2026-60000
3.7 - Low
- July 08, 2026
sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
Allocation of Resources Without Limits or Throttling
OpenSSH<10.4 DisableForwarding fails to block PermitTunnel
CVE-2026-59999
5.9 - Medium
- July 08, 2026
In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
Use of Less Trusted Source
OpenSSH sshd GSSAPIStrictAcceptorCheck Misconfig Pre-10.4 on AD
CVE-2026-59998
4.8 - Medium
- July 08, 2026
sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
Improper Following of Specification by Caller
OpenSSH <=10.3 internal-sftp accepts only first 9 args
CVE-2026-59997
4.2 - Medium
- July 08, 2026
internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
Improper Validation of Specified Quantity in Input
OpenSSH <10.4 SCP Path Traversal Remote Files Pushed to Parent Directory
CVE-2026-59996
4.2 - Medium
- July 08, 2026
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
Relative Path Traversal
OpenSSH SFTP Server Path Constraint Flaw <10.4
CVE-2026-59995
4.2 - Medium
- July 08, 2026
sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
Relative Path Traversal
Heap Buffer Overflow in GNU Wget 1.25.0 html_quote_string() (convert.c)
CVE-2026-58472
5.9 - Medium
- July 07, 2026
GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.
Integer Overflow or Wraparound
GNU Wget 1.25.0 Heap Buffer Overflow (convert_fname)
CVE-2026-58471
5.9 - Medium
- July 07, 2026
GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
Heap-based Buffer Overflow
Wget 1.25.0 Integer Overflow in parse_content_range()
CVE-2026-58470
5.3 - Medium
- July 07, 2026
GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.
Integer Overflow or Wraparound
GNU Wget <1.25.0 Heap Buffer Underread in clean_metalink_string
CVE-2026-58469
7.5 - High
- July 07, 2026
GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
Out-of-bounds Read
OpenVPN 2.6.0-2.6.20/2.7.0-2.7.4 Remote DoS via Malformed Auth Token
CVE-2026-13122
- July 06, 2026
OpenVPN version 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers to cause a denial of service via a malformed authentication token that triggers a reachable assertion when external-auth is enabled
assertion failure
OpenVPN 2.5.0-2.5.11/2.6.0-2.6.20/2.7.0-2.7.4 memory leak permits DoS
CVE-2026-13698
- July 06, 2026
A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service
Memory Leak
libcurl SSH Key Type Mismatch Allows Silent MITM via CURLOPT_SSH_KEYFUNCTION
CVE-2026-9547
7.4 - High
- July 03, 2026
When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
libcurl HTTP/3 session resumption EarlyData info leak
CVE-2026-9545
7.5 - High
- July 03, 2026
In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.
libcurl UAF via curl_easy_pause() in SOCKETFUNCTION
CVE-2026-9080
7.3 - High
- July 03, 2026
Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.
Privilege Esc Escalation: libcurl Fails to Clear Proxy Auth Credentials
CVE-2026-9079
9.8 - Critical
- July 03, 2026
libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
libcurl: Proxy Auth Leakage on Reused Handles
CVE-2026-8927
9.1 - Critical
- July 03, 2026
When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
curl Credential Inference via .netrc/Username Mismatch
CVE-2026-8926
9.1 - Critical
- July 03, 2026
When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.
cURL doublefree via GSASL context cleanup bug
CVE-2026-8925
9.8 - Critical
- July 03, 2026
The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.
Curl Cookie Parsing Vulnerability: Super Cookies Bypass PSL
CVE-2026-8924
9.1 - Critical
- July 03, 2026
A flaw in curls cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
libcurl Negotiate Authentication Connection Reuse Flaw
CVE-2026-8458
6.5 - Medium
- July 03, 2026
libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
CURL STARTTLS Connection Reuse with TLS Mismatch
CVE-2026-8286
8.1 - High
- July 03, 2026
A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
cURL SSH Host Verification Bypass via Schemaless URL & --proto-default
CVE-2026-12064
7.5 - High
- July 03, 2026
When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.
curl Unbounded WebSocket PING Memory Exhaustion
CVE-2026-11586
7.5 - High
- July 03, 2026
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
libcurl CA Trust Leakage via Persistent Connection Pool
CVE-2026-11564
9.1 - Critical
- July 03, 2026
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
Curl QUIC HTTP/3 UDP DoS from Empty Datagram Abuse
CVE-2026-11352
7.5 - High
- July 03, 2026
An issue in curls QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
Use-After-Free in libcurl during cleanup after stream-dependency reset
CVE-2026-10536
9.8 - Critical
- July 03, 2026
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
containerd CRI pathtraversal bug pre2.3.2/2.2.5/2.1.9
CVE-2026-53489
- July 01, 2026
containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.
Symlink following
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Canonical Ubuntu Linux or by Canonical? Click the Watch button to subscribe.