Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Canonical Ltd.

BOS ID

-
BOSS-VENDOR-12705

Tags

-
N/A

Related Bos

-
Ubuntu

Note

-

https://canonical.com/

Mapped CVEsMapped VendorsRelated AssignersReports
4315Vulnerabilities found

CVE-2026-12391
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5||MEDIUM
EPSS-0.15% / 5.10%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 12:17
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ubuntu-pro-client Local Privilege Escalation and Information Disclosure via Symlink Arbitrary File Read in collect-logs

An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu 18.04 LTSUbuntu 16.04 LTSUbuntu 22.04 LTSUbuntu 24.04 LTSUbuntu 20.04 LTSUbuntu 26.04 LTSubuntu-pro-client (ubuntu-advantage-tools)
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2026-11386
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-9||CRITICAL
EPSS-0.32% / 23.75%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 12:16
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution

An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu 18.04 LTSUbuntu 22.04 LTSUbuntu 24.04 LTSUbuntu 16.04 LTSUbuntu 20.04 LTSUbuntu 26.04 LTSubuntu-pro-client (ubuntu-advantage-tools)Ubuntu 14.04 LTS
CWE ID-CWE-20
Improper Input Validation
CVE-2026-9494
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.10% / 1.16%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 12:12
Updated-16 Jul, 2026 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line

An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu 18.04 LTSUbuntu 22.04 LTSUbuntu 24.04 LTSUbuntu 16.04 LTSUbuntu 20.04 LTSUbuntu 26.04 LTSubuntu-pro-client (ubuntu-advantage-tools)Ubuntu 14.04 LTS
CWE ID-CWE-214
Invocation of Process Using Visible Sensitive Information
CVE-2026-10037
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-8.8||HIGH
EPSS-0.12% / 2.17%
||
7 Day CHG~0.00%
Published-08 Jul, 2026 | 21:18
Updated-14 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sandbox Escape in Ubuntu OpenJDK Packages via xdg-desktop-portal

A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via xdg-desktop-portal-gtk can write a malicious .jar file to the host file system, set its executable bit, and trigger the handler to execute arbitrary code outside of the sandbox environment.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu
CWE ID-CWE-20
Improper Input Validation
CVE-2026-28385
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5||MEDIUM
EPSS-0.17% / 6.59%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 16:23
Updated-06 Jul, 2026 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF via image import from URL allows internal network probing by authenticated users

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.

Action-Not Available
Vendor-Canonical Ltd.
Product-lxdlxd
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-9640
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-7.2||HIGH
EPSS-0.34% / 26.48%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 15:50
Updated-30 Jun, 2026 | 05:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LXD Snapshot Import Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.

Action-Not Available
Vendor-Canonical Ltd.
Product-LXD
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-9639
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 31.16%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 15:39
Updated-26 Jun, 2026 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Denial of Service via Malicious Backup Tarball in LXD

Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.

Action-Not Available
Vendor-Canonical Ltd.
Product-LXD
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-12411
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-8.4||HIGH
EPSS-0.21% / 11.04%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 15:27
Updated-02 Jul, 2026 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Broken Access Control in Canonical LXD DevLXD API

Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.

Action-Not Available
Vendor-Canonical Ltd.
Product-lxdlxd
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2026-12249
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-9||CRITICAL
EPSS-0.11% / 1.57%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 15:43
Updated-22 Jun, 2026 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment

An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu 22.04 LTSUbuntu 20.04 LTSUbuntu 26.04 LTSUbuntu 24.04 LTSUbuntu 25.10
CWE ID-CWE-348
Use of Less Trusted Source
CVE-2026-10720
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 10.97%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 04:57
Updated-22 Jun, 2026 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MicroCeph path traversal issue in the remote-import API

Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate (such as enrolled cluster members) or join token can manipulate files in an imported remote cluster within the /var/snap/microceph confinement. This would allow daemon disruption and pollution of the cluster state.

Action-Not Available
Vendor-Canonical Ltd.
Product-Microceph
CWE ID-CWE-23
Relative Path Traversal
CVE-2026-47337
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-3.3||LOW
EPSS-0.09% / 0.73%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:29
Updated-29 May, 2026 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NULL pointer dereference in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation

Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.

Action-Not Available
Vendor-Canonical Ltd.
Product-ubuntu_linuxUbuntu Linux
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-47336
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-3.3||LOW
EPSS-0.09% / 0.74%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:29
Updated-29 May, 2026 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use of uninitialized value in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation rules

Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.

Action-Not Available
Vendor-Canonical Ltd.
Product-ubuntu_linuxUbuntu Linux
CWE ID-CWE-457
Use of Uninitialized Variable
CVE-2026-47335
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.10% / 0.92%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:28
Updated-29 May, 2026 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NULL pointer dereference in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.

Action-Not Available
Vendor-Canonical Ltd.
Product-ubuntu_linuxUbuntu Linux
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-47334
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.08% / 0.17%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:28
Updated-29 May, 2026 | 02:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deadlock or kernel panic in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-833
Deadlock
CVE-2026-47333
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-7.8||HIGH
EPSS-0.11% / 1.35%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:28
Updated-29 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Out-of-bounds read in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-47332
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.11% / 1.34%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:28
Updated-29 May, 2026 | 02:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Out-of-bounds read in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-47331
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-7.8||HIGH
EPSS-0.11% / 1.74%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:28
Updated-29 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-416
Use After Free
CVE-2026-47330
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-3.3||LOW
EPSS-0.09% / 0.65%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:27
Updated-29 May, 2026 | 02:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use of uninitialized value in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-457
Use of Uninitialized Variable
CVE-2026-47329
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-3.3||LOW
EPSS-0.09% / 0.65%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:27
Updated-29 May, 2026 | 02:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect validation of field size in Ubuntu Linux AppArmor notification responses

Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2026-47328
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-6.1||MEDIUM
EPSS-0.09% / 0.71%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:27
Updated-09 Jun, 2026 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Invalid pointer deallocation in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.

Action-Not Available
Vendor-Canonical Ltd.
Product-ubuntu_linuxUbuntu Linux
CWE ID-CWE-590
Free of Memory not on the Heap
CVE-2026-47327
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-3.3||LOW
EPSS-0.09% / 0.63%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:27
Updated-29 May, 2026 | 02:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NULL pointer dereference in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-47326
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.09% / 0.71%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:26
Updated-29 May, 2026 | 02:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory leak in Ubuntu Linux AppArmor large notification response allocation

Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-49237
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.86%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 13:22
Updated-01 Jun, 2026 | 13:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Local Privilege Escalation in Canonical Multipass

An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation.

Action-Not Available
Vendor-Canonical Ltd.Apple Inc.
Product-multipassmacosMultipass
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2026-49238
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-8.4||HIGH
EPSS-0.51% / 39.83%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 13:22
Updated-01 Jun, 2026 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SFTP Server VM Escape in Canonical Multipass

An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.

Action-Not Available
Vendor-Canonical Ltd.
Product-multipassMultipass
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2018-25306
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6.9||MEDIUM
EPSS-0.18% / 7.39%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 19:24
Updated-05 May, 2026 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PDFunite 0.41.0 Buffer Overflow via Malformed PDF

PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by processing malformed PDF files during merge operations. Attackers can trigger a segmentation fault in the XRef::getEntry function within libpoppler by providing a specially crafted PDF file to the pdfunite utility.

Action-Not Available
Vendor-poppler-utilsCanonical Ltd.
Product-pdfunitePDFunite
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2026-6970
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-7.3||HIGH
EPSS-0.11% / 1.52%
||
7 Day CHG~0.00%
Published-27 Apr, 2026 | 15:28
Updated-27 Apr, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
authd Denial of Service and Local Privilege Escalation

authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user's primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user's identity provider record is updated, authd incorrectly resets the user's primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation.

Action-Not Available
Vendor-Canonical Ltd.
Product-authd
CWE ID-CWE-842
Placement of User into Incorrect Group
CVE-2026-31431
Assigner-kernel.org
ShareView Details
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-96.27% / 99.87%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 08:15
Updated-15 Jul, 2026 | 02:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-05-15||"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
crypto: algif_aead - Revert to operating out-of-place

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Action-Not Available
Vendor-amazonnixosVMware (Broadcom Inc.)NovellSiemens AGRed Hat, Inc.Debian GNU/LinuxopenSUSECanonical Ltd.Arista Networks, Inc.SUSELinux Kernel Organization, Inc
Product-linux_enterprise_microenterprise_storagesimatic_s7-1500_cpu_1518f-4_pn\/dp_mfpbasesystem_modulevelocloud_gatewaylinux_enterprise_workstation_extensionubuntu_linuxsimatic_s7-1500_cpu_1518f-4_pn\/dp_mfp_firmwareamazon_linuxenterprise_linux_euslinux_enterprise_desktopopenstack_cloudopenshift_container_platformmanager_proxylegacy_moduleopenstack_cloud_crowbarlinux_enterprise_high_performance_computingvelocloud_edgesiplus_s7-1500_cpu_1518-4_pn\/dp_mfp_firmwarevelocloud_orchestratornetvisor_osenterprise_linuxleapenterprise_linux_update_services_for_sap_solutionsnixossimatic_s7-1500_tm_mfp_firmwarelinux_enterprise_high_availability_extensionenterprise_linux_tusdevelopment_tools_modulemanager_retail_branch_serverlinux_enterprise_servercloudvision_agnilinux_enterprise_live_patchingsimatic_s7-1500_cpu_1518-4_pn\/dp_mfp_firmwaresiplus_s7-1500_cpu_1518-4_pn\/dp_mfpdebian_linuxlinux_enterprise_real_timecaas_platformlinux_microcloudvision_portalsimatic_s7-1500_tm_mfpmanager_serverlinux_kernelpublic_cloud_modulesimatic_s7-1500_cpu_1518-4_pn\/dp_mfprealtime_moduleenterprise_linux_ausLinuxRed Hat OpenShift Container Platform 4.21Red Hat Enterprise Linux 9.0 Update Services for SAP SolutionsRed Hat Enterprise Linux 8.8 Telecommunications Update ServiceRed Hat OpenShift Container Platform 4.15Red Hat Enterprise Linux 9.2 Update Services for SAP SolutionsSIPLUS S7-1500 CPU 1518-4 PN/DP MFPRed Hat OpenShift Container Platform 4.12Red Hat OpenShift Container Platform 4.13Red Hat Enterprise Linux 8.6 Telecommunications Update ServiceRed Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRed Hat Enterprise Linux 10.0 Extended Update SupportNVIDIA for RHEL 10Red Hat Enterprise Linux 8.6 Update Services for SAP SolutionsRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9.4 Extended Update SupportRed Hat OpenShift Container Platform 4.17SIMATIC S7-1500 CPU 1518F-4 PN/DP MFPRed Hat OpenShift Container Platform 4.18Red Hat Enterprise Linux 10SIMATIC S7-1500 TM MFP - GNU/Linux subsystemRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-OnRed Hat OpenShift Container Platform 4.19Red Hat OpenShift Container Platform 4.14Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9.6 Extended Update SupportRed Hat Enterprise Linux 8Red Hat OpenShift Container Platform 4.20SIMATIC S7-1500 CPU 1518-4 PN/DP MFPRed Hat OpenShift Container Platform 4.16Kernel
CWE ID-CWE-1288
Improper Validation of Consistency within Input
CWE ID-CWE-669
Incorrect Resource Transfer Between Spheres
CVE-2026-6369
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5.7||MEDIUM
EPSS-0.12% / 2.28%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 13:38
Updated-20 Apr, 2026 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposed Session Token in canonical-livepatch client snap

An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket. This vulnerability is exploitable on systems where an administrator has already enabled the Livepatch client with a valid Ubuntu Pro subscription. This token allows an attacker to access Livepatch services using the victim's credentials, as well as potentially cause issues to the Livepatch server.

Action-Not Available
Vendor-Canonical Ltd.
Product-canonical-livepatch
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2026-5412
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-9.9||CRITICAL
EPSS-0.45% / 36.06%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 12:22
Updated-30 Apr, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Juju CloudSpec API could leak senstive information

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.

Action-Not Available
Vendor-Canonical Ltd.
Product-jujuJuju
CWE ID-CWE-285
Improper Authorization
CVE-2026-5774
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 15.46%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 12:10
Updated-22 Apr, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

Action-Not Available
Vendor-Canonical Ltd.
Product-jujuJuju
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2025-14551
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-2.7||LOW
EPSS-0.28% / 19.74%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 15:03
Updated-17 Apr, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Senstive information disclosure was affecting subiquity

In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.

Action-Not Available
Vendor-Canonical Ltd.
Product-ubuntu_subiquityUbuntu
CWE ID-CWE-1258
Exposure of Sensitive System Information Due to Uncleared Debug Information
CVE-2025-15480
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-2.7||LOW
EPSS-0.31% / 22.72%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 15:02
Updated-17 Apr, 2026 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Senstive information disclosure was affecting ubuntu-desktop-provision

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.

Action-Not Available
Vendor-Canonical Ltd.
Product-ubuntu_desktop_provisionUbuntu
CWE ID-CWE-1258
Exposure of Sensitive System Information Due to Uncleared Debug Information
CVE-2026-34179
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-9.1||CRITICAL
EPSS-0.27% / 19.30%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 09:22
Updated-22 Apr, 2026 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Update of type field in restricted TLS certificate allows privilege escalation to cluster admin

In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.

Action-Not Available
Vendor-Canonical Ltd.
Product-lxdlxd
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVE-2026-34178
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-9.1||CRITICAL
EPSS-0.42% / 34.45%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 09:18
Updated-22 Apr, 2026 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Importing a crafted backup leads to project restriction bypass

In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.

Action-Not Available
Vendor-Canonical Ltd.
Product-lxdlxd
CWE ID-CWE-20
Improper Input Validation
CVE-2026-34177
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-9.1||CRITICAL
EPSS-0.36% / 28.59%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 09:15
Updated-22 Apr, 2026 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf

Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.

Action-Not Available
Vendor-Canonical Ltd.
Product-lxdlxd
CWE ID-CWE-184
Incomplete List of Disallowed Inputs
CVE-2025-68153
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.23% / 14.00%
||
7 Day CHG~0.00%
Published-03 Apr, 2026 | 15:28
Updated-21 Apr, 2026 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Juju: Resource poisoning

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.

Action-Not Available
Vendor-jujuCanonical Ltd.
Product-jujujuju
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-68152
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.36% / 28.53%
||
7 Day CHG~0.00%
Published-03 Apr, 2026 | 15:25
Updated-21 Apr, 2026 | 01:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Juju: Read All Controller Logs From Compromised Workload

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.

Action-Not Available
Vendor-jujuCanonical Ltd.
Product-jujujuju
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-4370
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-10||CRITICAL
EPSS-0.38% / 30.39%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 08:09
Updated-08 Apr, 2026 | 07:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper TLS Client/Server authentication and certificate verification on Database Cluster

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.

Action-Not Available
Vendor-Canonical Ltd.
Product-jujuJuju
CWE ID-CWE-295
Improper Certificate Validation
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-32694
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-6.6||MEDIUM
EPSS-0.27% / 18.66%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 12:55
Updated-19 Mar, 2026 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Direct Object Reference attack via predictable secret ID in Juju

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.

Action-Not Available
Vendor-Canonical Ltd.
Product-jujuJuju
CWE ID-CWE-343
Predictable Value Range from Previous Values
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-32693
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-8.8||HIGH
EPSS-0.30% / 22.23%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 12:47
Updated-19 Mar, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized access to Kubernetes secrets in Juju

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.

Action-Not Available
Vendor-Canonical Ltd.
Product-jujuJuju
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-778
Insufficient Logging
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-32692
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-7.6||HIGH
EPSS-0.17% / 6.17%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 12:35
Updated-19 Mar, 2026 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized update of out-of-scope Vault secrets

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.

Action-Not Available
Vendor-Canonical Ltd.
Product-jujuJuju
CWE ID-CWE-285
Improper Authorization
CVE-2026-32691
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 14.13%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 12:28
Updated-19 Mar, 2026 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Timing ownership claim attack on new external back-end secrets

A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.

Action-Not Available
Vendor-Canonical Ltd.
Product-jujuJuju
CWE ID-CWE-708
Incorrect Ownership Assignment
CVE-2026-3888
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-7.8||HIGH
EPSS-0.38% / 30.56%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 14:02
Updated-04 Jun, 2026 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Local Privilege Escalation in snapd

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

Action-Not Available
Vendor-Canonical Ltd.
Product-ubuntu_linuxUbuntu 20.04 LTSUbuntu 18.04 LTSUbuntu 16.04 LTSUbuntu 24.04 LTSUbuntu 22.04 LTS
CWE ID-CWE-268
Privilege Chaining
CVE-2026-3497
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-2.7||LOW
EPSS-2.18% / 80.35%
||
7 Day CHG~0.00%
Published-12 Mar, 2026 | 18:27
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Action-Not Available
Vendor-Red Hat, Inc.Siemens AGOpenBSDCanonical Ltd.UbuntuDebian GNU/Linux
Product-opensshubuntu_linuxenterprise_linuxdebian_linuxopensshRed Hat Enterprise Linux 9.0 Update Services for SAP SolutionsRed Hat AI Inference Server 3.3Multicluster Engine for KubernetesOpenShift PipelinesRHEL-8 based Middleware ContainersRed Hat OpenShift Container Platform 4.15Red Hat Enterprise Linux 8.8 Telecommunications Update ServiceRed Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRed Hat AI Inference Server 3.2SIPLUS S7-1500 CPU 1518-4 PN/DP MFPRed Hat OpenShift Container Platform 4.12Red Hat OpenShift Container Platform 4.13Red Hat Enterprise Linux 8.6 Telecommunications Update ServiceRed Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRed Hat Enterprise Linux 10.0 Extended Update SupportRed Hat Enterprise Linux 8.6 Update Services for SAP SolutionsRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9.4 Extended Update SupportRed Hat OpenShift Container Platform 4.17SIMATIC S7-1500 CPU 1518F-4 PN/DP MFPRed Hat OpenShift Container Platform 4.18Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRed Hat Advanced Cluster Management for Kubernetes 2Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-OnRed Hat OpenShift Container Platform 4.19Red Hat OpenShift Container Platform 4.14Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9.6 Extended Update SupportRed Hat Enterprise Linux 8Red Hat Update Infrastructure 5SIMATIC S7-1500 CPU 1518-4 PN/DP MFPRed Hat OpenShift Container Platform 4.16Red Hat Hardened Images
CWE ID-CWE-824
Access of Uninitialized Pointer
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2026-28384
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-9.4||CRITICAL
EPSS-0.50% / 39.61%
||
7 Day CHG~0.00%
Published-12 Mar, 2026 | 14:51
Updated-13 Mar, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated RCE via unsanitized compression_algorithm

An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.

Action-Not Available
Vendor-Canonical Ltd.
Product-lxd
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-13350
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-7.1||HIGH
EPSS-0.15% / 4.30%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 18:56
Updated-09 Mar, 2026 | 13:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free of orphaned AF_UNIX in Ubuntu builds of Linux kernel

Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privilege escalation (LPE) caused by a use-after-free (UAF). Ubuntu builds that have already taken the new GC stack from commit 4090fa373f0e, and mainline Linux kernels shipping that infrastructure are unaffected because they no longer execute the legacy collector path. This issue affects Ubuntu Linux from 6.8.0-56.58 before 6.8.0-84.84.

Action-Not Available
Vendor-Canonical Ltd.
Product-Ubuntu Linux
CWE ID-CWE-416
Use After Free
CVE-2026-3351
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-2.1||LOW
EPSS-0.14% / 3.88%
||
7 Day CHG~0.00%
Published-03 Mar, 2026 | 12:49
Updated-11 Mar, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass in LXD GET /1.0/certificates Endpoint

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

Action-Not Available
Vendor-Canonical Ltd.Linux Kernel Organization, Inc
Product-lxdlinux_kernellxd
CWE ID-CWE-862
Missing Authorization
CVE-2026-1237
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-2.1||LOW
EPSS-0.13% / 3.20%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 15:01
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.

Action-Not Available
Vendor-Canonical Ltd.
Product-juju
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CWE ID-CWE-672
Operation on a Resource after Expiration or Release
CVE-2025-5467
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-1.9||LOW
EPSS-0.15% / 4.89%
||
7 Day CHG~0.00%
Published-10 Dec, 2025 | 18:00
Updated-17 Dec, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ubuntu Apport Insecure File Permissions Vulnerability

It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.

Action-Not Available
Vendor-Canonical Ltd.
Product-apportapport
CWE ID-CWE-708
Incorrect Ownership Assignment
CVE-2025-6966
Assigner-Canonical Ltd.
ShareView Details
Assigner-Canonical Ltd.
CVSS Score-6.9||MEDIUM
EPSS-0.13% / 2.73%
||
7 Day CHG~0.00%
Published-05 Dec, 2025 | 12:59
Updated-07 Jan, 2026 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Null-pointer dereference in python-apt TagSection.keys()

NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.

Action-Not Available
Vendor-Canonical Ltd.Debian GNU/LinuxUbuntu
Product-ubuntu_linuxdebian_linuxpython-aptpython-apt
CWE ID-CWE-476
NULL Pointer Dereference
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 86
  • 87
  • Next