Canonical Ubuntu Linux vulnerabilities

CVE-2025-13350 [HIGH] CWE-416 CVE-2025-13350: Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queu

CVE-2025-32463 [CRITICAL] CWE-829 CVE-2025-32463: Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

CVE-2025-5054 [MEDIUM] CWE-362 CVE-2025-5054: Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensit Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to

CVE-2023-5616 [MEDIUM] CWE-290 CVE-2023-5616: In Ubuntu, gnome-control-center did not properly reflect SSH remote login status when the system was In Ubuntu, gnome-control-center did not properly reflect SSH remote login status when the system was configured to use systemd socket activation for openssh-server. This could unknowingly leave the local machine exposed to remote SSH access contrary to expectation of the user.

CVE-2022-1804 [MEDIUM] CWE-269 CVE-2022-1804: accountsservice no longer drops permissions when writting .pam_environment accountsservice no longer drops permissions when writting .pam_environment

CVE-2025-26466 [MEDIUM] CWE-770 CVE-2025-26466: A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the

CVE-2022-1736 [CRITICAL] CVE-2022-1736: Ubuntu's configuration of gnome-control-center allowed Remote Desktop Sharing to be enabled by defau Ubuntu's configuration of gnome-control-center allowed Remote Desktop Sharing to be enabled by default.

CVE-2024-6387 [HIGH] CWE-364 CVE-2024-6387: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race con A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

CVE-2020-27352 [CRITICAL] CWE-269 CVE-2020-27352: When generating the systemd service units for the docker snap (and other similar snaps), snapd does When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a

CVE-2022-28657 [HIGH] CWE-400 CVE-2022-28657: Apport does not disable python crash handler before entering chroot Apport does not disable python crash handler before entering chroot

CVE-2022-28655 [HIGH] CWE-770 CVE-2022-28655: is_closing_session() allows users to create arbitrary tcp dbus connections is_closing_session() allows users to create arbitrary tcp dbus connections

CVE-2022-28656 [MEDIUM] CWE-770 CVE-2022-28656: is_closing_session() allows users to consume RAM in the Apport process is_closing_session() allows users to consume RAM in the Apport process

CVE-2022-28652 [MEDIUM] CWE-776 CVE-2022-28652: ~/.config/apport/settings parsing is vulnerable to "billion laughs" attack ~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

CVE-2022-28654 [MEDIUM] CWE-770 CVE-2022-28654: is_closing_session() allows users to fill up apport.log is_closing_session() allows users to fill up apport.log

CVE-2022-28658 [MEDIUM] CVE-2022-28658: Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofin Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing

CVE-2022-1242 [HIGH] CWE-20 CVE-2022-1242: Apport can be tricked into connecting to arbitrary sockets as the root user Apport can be tricked into connecting to arbitrary sockets as the root user

CVE-2021-3899 [HIGH] CWE-367 CVE-2021-3899: There is a race condition in the 'replaced executable' detection that, with the correct local config There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root.

CVE-2022-2586 [MEDIUM] CWE-416 CVE-2022-2586: It was discovered that a nft object or expression could reference a nft set on a different nft table It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.

CVE-2022-3328 [HIGH] CWE-362 CVE-2022-3328: Race condition in snap-confine's must_mkdir_and_open_with_perms() Race condition in snap-confine's must_mkdir_and_open_with_perms()

CVE-2021-3600 [HIGH] CWE-125 CVE-2021-3600: It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds inf It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.