Ubuntu Linux Canonical Ubuntu Linux Linux Operating System

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Canonical Ubuntu Linux.

Recent Canonical Ubuntu Linux Security Advisories

Advisory Title Published
USN-8530-1 USN-8530-1: Linux kernel (AWS) vulnerabilities July 10, 2026
USN-8529-1 USN-8529-1: Linux kernel vulnerabilities July 10, 2026
USN-8528-1 USN-8528-1: Linux kernel (Xilinx ZynqMP) vulnerabilities July 10, 2026
USN-8527-1 USN-8527-1: Linux kernel (Raspberry Pi) vulnerabilities July 10, 2026
USN-8492-5 USN-8492-5: Linux kernel (FIPS) vulnerabilities July 10, 2026
USN-8526-1 USN-8526-1: libheif vulnerabilities July 9, 2026
USN-8525-1 USN-8525-1: curl vulnerabilities July 9, 2026
USN-8524-1 USN-8524-1: Python vulnerability July 9, 2026
USN-8523-1 USN-8523-1: libsoup vulnerabilities July 9, 2026
USN-8522-1 USN-8522-1: LibRaw vulnerabilities July 9, 2026

By the Year

In 2026 there have been 1513 vulnerabilities in Canonical Ubuntu Linux with an average score of 7.1 out of ten. Last year, in 2025 Ubuntu Linux had 2890 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Ubuntu Linux in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.80.




Year Vulnerabilities Average Score
2026 1513 7.13
2025 2890 6.33
2024 3580 6.40
2023 1080 6.86
2022 1210 6.99
2021 751 6.87
2020 753 6.23
2019 793 6.98
2018 929 7.10

It may take a day or so for new Ubuntu Linux vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Canonical Ubuntu Linux Security Vulnerabilities

libcurl SSH Key Type Mismatch Allows Silent MITM via CURLOPT_SSH_KEYFUNCTION
CVE-2026-9547 7.4 - High - July 03, 2026

When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.

libcurl HTTP/3 session resumption EarlyData info leak
CVE-2026-9545 7.5 - High - July 03, 2026

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.

libcurl UAF via curl_easy_pause() in SOCKETFUNCTION
CVE-2026-9080 7.3 - High - July 03, 2026

Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.

Privilege Esc Escalation: libcurl Fails to Clear Proxy Auth Credentials
CVE-2026-9079 9.8 - Critical - July 03, 2026

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

libcurl: Proxy Auth Leakage on Reused Handles
CVE-2026-8927 9.1 - Critical - July 03, 2026

When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.

curl Credential Inference via .netrc/Username Mismatch
CVE-2026-8926 9.1 - Critical - July 03, 2026

When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.

cURL doublefree via GSASL context cleanup bug
CVE-2026-8925 9.8 - Critical - July 03, 2026

The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.

Curl Cookie Parsing Vulnerability: Super Cookies Bypass PSL
CVE-2026-8924 9.1 - Critical - July 03, 2026

A flaw in curls cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

libcurl Negotiate Authentication Connection Reuse Flaw
CVE-2026-8458 6.5 - Medium - July 03, 2026

libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.

CURL STARTTLS Connection Reuse with TLS Mismatch
CVE-2026-8286 8.1 - High - July 03, 2026

A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.

cURL SSH Host Verification Bypass via Schemaless URL & --proto-default
CVE-2026-12064 7.5 - High - July 03, 2026

When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

curl Unbounded WebSocket PING Memory Exhaustion
CVE-2026-11586 7.5 - High - July 03, 2026

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

libcurl CA Trust Leakage via Persistent Connection Pool
CVE-2026-11564 9.1 - Critical - July 03, 2026

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

Curl QUIC HTTP/3 UDP DoS from Empty Datagram Abuse
CVE-2026-11352 7.5 - High - July 03, 2026

An issue in curls QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

Use-After-Free in libcurl during cleanup after stream-dependency reset
CVE-2026-10536 9.8 - Critical - July 03, 2026

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

containerd CRI pathtraversal bug pre2.3.2/2.2.5/2.1.9
CVE-2026-53489 - July 01, 2026

containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Symlink following

containerd CDI Annotation Injection via Untrusted Checkpoints (pre-2.3.2)
CVE-2026-53492 - July 01, 2026

containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Improper Input Validation

containerd CRI Checkpoint Image Cache Poisoning (v<2.3.2,2.2.5,2.1.9)
CVE-2026-50195 - July 01, 2026

containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Insufficient Verification of Data Authenticity

containerd DoS via faulty image load causing OOM kill (v<1.7.33,2.0.10,2.1.9)
CVE-2026-47262 - July 01, 2026

containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.

Resource Exhaustion

CLAMAV ALZ Parser OOB Buffer Write -> DoS
CVE-2026-20243 7.5 - High - July 01, 2026

A vulnerability in the ALZ file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in ALZ files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains ALZ content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Classic Buffer Overflow

DoS via DMG parser in ClamAV
CVE-2026-20244 7.5 - High - July 01, 2026

A vulnerability in the DMG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in DMG files during scanning, which may result in an integer overflow on 32-bit platforms only. An attacker could exploit this vulnerability by submitting a crafted file that contains DMG content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Classic Buffer Overflow

ClamAV 7z Parser DoS via Mem Corrupt
CVE-2026-20215 7.5 - High - July 01, 2026

A vulnerability in the 7z file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in 7z files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains 7z&nbsp;content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Classic Buffer Overflow

ClamAV PESpin Parser Overflow: DoS via crafted file
CVE-2026-20217 7.5 - High - July 01, 2026

A vulnerability in the PESpin file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in PESpin files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PESpin content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Classic Buffer Overflow

ClamAV InstallShield Parser DoS via Resource Abuse
CVE-2026-20216 7.5 - High - July 01, 2026

A vulnerability in the InstallShield file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper handling of temporary resources during file scanning. An attacker could exploit this vulnerability by submitting a crafted InstallShield file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process and temporarily consume available system resources, resulting in a DoS condition on the affected software.

Allocation of Resources Without Limits or Throttling

ClamAV PE Parser OOB Buffer Write DoS
CVE-2026-20213 7.5 - High - July 01, 2026

A vulnerability in the PE file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in PE files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PE content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Classic Buffer Overflow

FSG Parsing Buffer Overflow Causes DoS in ClamAV
CVE-2026-20214 7.5 - High - July 01, 2026

A vulnerability in the FSG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in FSG files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains portable executable content compressed with FSG to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Classic Buffer Overflow

CRI Label Injection in containerd 1.7.x/2.0-2.3 (1.7.33/2.3.2)
CVE-2026-53488 - July 01, 2026

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.

Improper Input Validation

GNU gzip LZH buffer overflow via global state reuse
CVE-2026-41992 - June 29, 2026

GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an outofbounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681

Buffer Over-read

GNU gzip gzexe TOCTOU File Overwrite via Symlink
CVE-2026-41991 - June 29, 2026

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the users PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can precreate the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a timeofcheck to timeofuse (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269

Insecure Temporary File

Heap Overflow in socat 1.8.0-1.8.1.1 via Sign-Extension in DOMAINNAME Parser
CVE-2026-56123 8.1 - High - June 25, 2026

socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting a sign-extension flaw in the DOMAINNAME reply parser. During connection setup, the domain name length byte is read through a signed char field causing a negative bytes_to_read value that is implicitly converted to size_t, resulting in an unbounded heap write into the 262-byte reply buffer with attacker-controlled size and content.

Heap-based Buffer Overflow

Vim Stack OOB Write CVE-2026-55693 (before 9.2.0653) in spellfile.c
CVE-2026-55693 - June 25, 2026

Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.

Memory Corruption

Vim <=9.2.0661 Stack OOB Write in dump_prefixes() (spell.c)
CVE-2026-55892 5.5 - Medium - June 25, 2026

Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.

Memory Corruption

Vim <=9.2.0662 Netrw LocalRmFile Vimscript Injection
CVE-2026-55895 - June 25, 2026

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.

Shell injection

Vim 9.2.0671: Decryption Underflow Crash (VimCrypt~04/05)
CVE-2026-57452 5.5 - Medium - June 25, 2026

Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.

Out-of-bounds Read

Vim 9.1.1784-9.2.0678 PowerShell command injection via zip plugin
CVE-2026-57453 6.5 - Medium - June 25, 2026

Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.

Command Injection

Stack OOB Write in Vim <9.2.0698, spell.c SOFO Handling
CVE-2026-57455 - June 25, 2026

Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.

Memory Corruption

Vim<9.2.0699 : Python omnicompletion exec() injection
CVE-2026-57456 - June 25, 2026

Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.

Code Injection

Linux kernel overlay readdir bug: bogus non-zero error from PTR_ERR
CVE-2026-53174 7.8 - High - June 25, 2026

In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.

NSD 4.10.1-4.14.3 TLS Auth Name Bypass on Secondary XFR
CVE-2026-12490 - June 25, 2026

When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.

Missing Authentication for Critical Function

NSD 4.14.0-4.14.2 Stack Overwrite via APL RR (adflength)
CVE-2026-12246 - June 25, 2026

NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.

Classic Buffer Overflow

NSD 4.13.0 Heap UAF via TLS Logging on DoT
CVE-2026-12245 - June 25, 2026

NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.

Dangling pointer

NSD 4.14.0-4.14.2: AXFR SVCB RR Heap Overflow RCE
CVE-2026-12244 - June 25, 2026

If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes

Integer Overflow or Wraparound

Linux Kernel io_uring Poll Ref Signed Comparison Bug Fixed
CVE-2026-52933 7.8 - High - June 24, 2026

In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix signed comparison in io_poll_get_ownership() io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken. Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.

libheif <=1.22.1 OOB Heap Read via Wrapped Offset in HEIF
CVE-2026-49271 6.5 - Medium - June 19, 2026

libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue.

Out-of-bounds Read

QEMU virtio-snd Input Callback Heap OOB Write CVE-2026-3195
CVE-2026-3195 7.4 - High - June 19, 2026

A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the `virtio_snd_pcm_in_cb` function did not check whether the iov could fit the data buffer, potentially leading to a heap out-of-bounds write. This issue exists due to an incomplete fix for CVE-2024-7730.

Heap-based Buffer Overflow

Virtio-snd Integer Overflow Host DoS via PCM_INFO
CVE-2026-3196 5.5 - Medium - June 19, 2026

An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition.

Integer Overflow or Wraparound

libssh2 <=1.11.1 OOB Heap Read in sftp_symlink() (SSH_FXP_NAME over-read)
CVE-2025-15661 6.5 - Medium - June 18, 2026

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.

Out-of-bounds Read

libssh2 1.11.1 OOB Write in ssh2_transport_read() via oversized packet_length
CVE-2026-55200 8.1 - High - June 17, 2026

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

Integer Overflow to Buffer Overflow

libssh2 <=1.11.1 SSH_MSG_EXT_INFO Pre-auth CPU DoS
CVE-2026-55199 5.9 - Medium - June 17, 2026

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.

Infinite Loop

GnuTLS UAF in pkcs11_token_set_pin on NULL SO PIN
CVE-2026-42014 6.6 - Medium - June 16, 2026

A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.

Dangling pointer

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Canonical Ubuntu Linux or by Canonical? Click the Watch button to subscribe.

Canonical
Vendor

Canonical Ubuntu Linux
Linux Operating System

subscribe