========================================================================== Ubuntu Security Notice USN-8288-1 May 20, 2026 bubblewrap vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 Summary: Bubblewrap could be made to bypass sandbox restrictions. Software Description: - bubblewrap: Low-level unprivileged sandboxing tool used by Flatpak and similar projects Details: It was discovered that Bubblewrap incorrectly handled the sandbox setup phase when installed in setuid mode. A local attacker could possibly use this issue to bypass sandbox restrictions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS bubblewrap 0.11.1-1ubuntu0.1 Ubuntu 25.10 bubblewrap 0.11.0-2ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8288-1 CVE-2026-41163 Package Information: https://launchpad.net/ubuntu/+source/bubblewrap/0.11.1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/bubblewrap/0.11.0-2ubuntu0.1
Thursday, May 21, 2026
Wednesday, May 20, 2026
Bouncing messages from freebsd-announce@FreeBSD.org
Hi, this is the Mlmmj program managing the <freebsd-announce@FreeBSD.org> mailing list. Some messages to you could not be delivered. If you're seeing this message it means things are back to normal, and it's merely for your information. Here is the list of the bounced messages: - 259, Message-ID: <20260520222412.AB1E59E91@freefall.freebsd.org> - 260, Message-ID: <20260520222417.DCC0C9E21@freefall.freebsd.org>
FreeBSD Security Advisory FreeBSD-SA-26:22.libcasper
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:22.libcasper Security Advisory The FreeBSD Project Topic: select(2) file descriptor set overflow causes stack overflow Category: core Module: libcasper Announced: 2026-05-20 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:41 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:35 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:38:00 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:40:00 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:38 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-39461 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background libcasper(3) allows Capsicum-sandboxed applications to access system interfaces that are otherwise unavailable within the sandbox. It is used by numerous programs in the base system. II. Problem Description libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). III. Impact An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-15.patch.asc # gpg --verify libcasper-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-14.patch.asc # gpg --verify libcasper-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 23929d729d1a stable/15-n283644 releng/15.0/ e22f3f55c360 releng/15.0-n281044 stable/14/ 9e74d5e2e5e4 stable/14-n274167 releng/14.4/ ae34dd1a391f releng/14.4-n273707 releng/14.3/ cbec31838173 releng/14.3-n271507 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://www.cve.org/CVERecord?id=CVE-2026-39461> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:22.libcasper.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHsbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrveQAP/iyv1O1XI6tSrRictadU 9tBJFE5WlWGPrB8ID/12nLsKaTM5hzbA1G+v8c3So3FaSEl+m7D8BTri4X0XPibQ 5Pp4v67MO+yqsNxOjwyqAizOnD5bk/sEUuBV5JijZuqsAiEWFw5l0dKDU83zt3vu hyk8/eeKuIxEwDiWQoeE32RM3BupY1ClWp46kiSjvOVzUK04miHQjgFFnVqkBuI7 DeanTjzCw3g+RQNTRKVGE2LYRLFHka6m4Z5RYT7beFOLdlD58T7lvQLl3l3f2QSR hXcq5RxAhf4omPkm432fIdd4nev4gti3rxJC76NM2rIHGeSlRd4O7MHreNwNkU2O 8Rv8IWMCM20zZCtbov7q8XbTqKp8JXSJ/8g15iZuZ4wk+THnpRy7dsRe5eYQvVbB J/zBKB9xMXGp69+88uZHDsSSoS841pkZ61+MlxeK4xC3MO6tlTO0Hannhmy8WCb4 U5GimvX3EcvhGeBWRvPTdPJY9EcrDPDU2djaiFzPZZ7rrUjR8YJ685fyj161nnb+ ibubcwiz7ygQu8b9T0rc1AV5ZTAC/QAlRarDpRNx2Ynh/FlZ89n+N5LnSHwGXc/v /P+ob/5AqdLfyofw5pcx/FVuAiK4bjqDGGYuZw1tplg/L7AV3k87zIMYdCgr3e95 PyQCsFAG014gMVETPGHKm6/7 =ypPx -----END PGP SIGNATURE-----
FreeBSD Security Advisory FreeBSD-SA-26:21.ptrace
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:21.ptrace Security Advisory The FreeBSD Project Topic: Missing validation in ptrace(PT_SC_REMOTE) Category: core Module: ptrace Announced: 2026-05-20 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Credits: Ryan at Calif.io Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:40 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:34 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:59 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:59 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:37 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45253 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ptrace(2) system call provides facilities for a debugger to control the execution of a target process and to obtain status information about it. Among other capabilities, it permits a debugger to execute arbitrary system calls in the target process via the PT_SC_REMOTE operation. II. Problem Description ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. III. Impact The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch.asc # gpg --verify ptrace-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch.asc # gpg --verify ptrace-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch.asc # gpg --verify ptrace-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 3b4afab9add2 stable/15-n283643 releng/15.0/ fd24dd0b38a8 releng/15.0-n281043 stable/14/ fac902a3e039 stable/14-n274166 releng/14.4/ c21d23f0f8be releng/14.4-n273706 releng/14.3/ 45bd421661c4 releng/14.3-n271506 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://www.cve.org/CVERecord?id=CVE-2026-45253> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:21.ptrace.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvLd0QAOQGyaTmlTQJTS+EIPMU +poVU59Fe4L+/+H8LSibnCPBbycH1bv6m9e906s/za0IBLGVq7PhY0U1YtPO5++J A86nLzgqk4hEU5RWmA3+dnLYrIxOf3fVvSev/XAZe/1eWwcljYRCtqLV+IBmyxeZ amfYoXliUTuZHO+r+88HVAgDy6efZ3IlnHF9iMlpsF0IFezpgFh4E6tiJk9/pMlz wuXpHCm34rEjy6bvQaDP9G1zXGszrEatT25d9rKZnHscZCQuRgtpLaOVCuH8oDca +1PFTfTNJnepH9Ir1nSaYLViZdHfuDK40CafZm54q4669AramrySoxNJlnNHOiMK DN4aqxMfW5xCEEK+fIJYqTyW2L3WzRJ8tm3bF/zzsMYTsNmclcklzmuMNqsGQls1 TGIhb+J+e0vkdZOpuJaT65pmGaF2dJeBvwNsIMJgtY3yotUPbDFD1ALNVUwIkKYh m68XK0Ykw93ySLjbORUVFLP5nv5PvYtubAy37q5tskN6hXLlyX5a0QxIL5T5u0jx hwDnyl4UAHGmkBM8U0CnaQbixP/yV0p5q+3NtpBurHB74tov593/U1eroydDywRl Mw2R3k7AFIC5CszwMA6J0l3W2tLq/j7tcTQ/8CNgPpP/TPVntQxQShxB93F+/MdX n9D4phEb7cKk4Y9QIBKkdbYZ =egz5 -----END PGP SIGNATURE-----
FreeBSD Security Advisory FreeBSD-SA-26:20.fusefs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:20.fusefs Security Advisory The FreeBSD Project Topic: Heap overflow in FUSE_LISTXATTR Category: core Module: fusefs Announced: 2026-05-20 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:38 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:32 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:58 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:58 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:36 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45252 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The fusefs file system delegates file system operations to a userspace daemon. This daemon ordinarily requires root privileges to operate. When the "vfs.usermount" sysctl is set to 1 (not the default), unprivileged users are permitted to run such daemons and mount fusefs file systems. II. Problem Description When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. III. Impact If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space. IV. Workaround No workaround is available, but systems that do not load the fusefs kernel module or set vfs.usermount=1 are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch.asc # gpg --verify fusefs-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch.asc # gpg --verify fusefs-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch.asc # gpg --verify fusefs-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ df3f3fa82775 stable/15-n283642 releng/15.0/ 0dd8b983db3c releng/15.0-n281042 stable/14/ 25148c51c8c6 stable/14-n274165 releng/14.4/ 6a299460f159 releng/14.4-n273705 releng/14.3/ 53f3bf4ee1ce releng/14.3-n271505 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://www.cve.org/CVERecord?id=CVE-2026-45252> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:20.fusefs.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHIbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvobkP/R3O3bwsnJkhG1NQ6pKh UFcwpZ8TSAqtccHZRQz2zoKTqu/EeClT7Bdgw/Qa8gbZ7IfZgS8AJaR7e4fgpE96 AhHU6cbyZrpwvWUatIKgX57032+M1ioMiz9g0KbGg4W4WKe/QHj4yt45F7qRfLNb BD7Qp7E0XtV+UrNXkhOQQmHyVTpB85tK/e5Yc+vcSgAQ3LWrzwO4zED4f78e3faw oiLm1oE/Vx0jfrRKsnCECdJS532xlfH6iJ2/2ZXfUthGQmZQe34wOMwYS0EcaGZV TQoLwsg5qLj4hJOGMCZk4X4TjrkoQquWdsAQetB8tqXIyw7QEgbMIIbhS3mQZ5CW aEq3wbYMowxCMb/6Dd/R56wDqyGI2Z6GHmUT58M0OSIIISfsD+UHOCW2lrQQ5zrI o1O/IFAvqsmCN6JQzFgC3KC8BLLZWzxf5Bun6yOls/YA31zOXAen0isnbOvVnGot 42Dy65fENCUQMt+p3eDDLQzxDhlqGAGbiqysBmxwTA5Wqc4furv7O0wmBPwOOGeH NqlKYsqO9u4kEW2lTCPs7R5+wsc+EACc07kikDQgp1m59JlkMfmXU4Kbcgw9r4GR 9OWtidfTCDGmt9mXzJVKaBurgJ1iqsBfzzLamWo0iDpUMgUP7VA9jVjVbUmtjH1V qAWdXCXwrbOr+eA50IIPxkal =HzW3 -----END PGP SIGNATURE-----
FreeBSD Security Advisory FreeBSD-SA-26:19.file
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:19.file Security Advisory The FreeBSD Project Topic: Kernel use-after-free via file descriptor syscalls Category: core Module: file Announced: 2026-05-20 Credits: 75Acol, Lexpl0it, fcgboy, and robinzeng2015 Credits: Ryan at Calif.io Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:37 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:31 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:57 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:57 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:34 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45251 This vulnerability was independently reported by multiple parties prior to publication. The reporters' findings prompted a broader review by the FreeBSD Security Team, which identified additional occurrences of the same issue in related code. All known exploitable instances are corrected by this update. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD implements a number of file descriptor types. Traditionally file descriptors are used to perform file or network I/O, but other variants exist such as process descriptors, which enable operations on a particular process. The select(2) and poll(2) system calls allow applications to wait for events related to the object to which a file descriptor refers. These system calls are implemented for many different file descriptor types. For instance, a process descriptor may be used with either system call to wait for the target process to exit. II. Problem Description A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. III. Impact The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch.asc # gpg --verify file-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch.asc # gpg --verify file-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 53a78e582a6f stable/15-n283641 releng/15.0/ af79f4148450 releng/15.0-n281041 stable/14/ b90b25c3779e stable/14-n274164 releng/14.4/ 8d8694c224e2 releng/14.4-n273704 releng/14.3/ 659818009d15 releng/14.3-n271504 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://www.cve.org/CVERecord?id=CVE-2026-45251> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:19.file.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKG4bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvA78P/iRlQXxVUpth5tRn2FiC lseIWOmh3DVI1OjwFQ30VydwnA5rlOqPPTpF2hsT0ee3ExS6pUKITi3735BmkPvT KvnOKkY9A2DdzXJQ9eZvrVJRN1/VlKx8Us1VmWWRxPHghmcqqTY0wN2lFcsyqcpN 6Wdi51z+X5sLWZZsLsvqAskWiCNqUzBSSWqCTLEW0tBD9AoW2BPQcpAeEmx4MDch Hk2/pecoUL2T/hu3bjo60CTp3R7E4gPt9wM5Ejf32vwsW0sTNkTmy7HbZCNmYHZw R764O4i4poDzccTiXxuhXdrIDXmRQwTyB9d6S12OmP8ec8dAQzm9p5xl4HoHhOho 9zTMCiLoU+ApN1H+bXqN9JvmZ9hfxGqdPaJgZRkQ11xRHg8tz48SigON/vxlbYff ln9EJ+NGEcskrbUAG8cUCJ3/a8A7xLQo07TpvyddeUc6ufk+nFEBzNS3rpaFNy5y GqFIOzqISRSsE1tf6rrItULQEKWtOMUYvAbrcLRwPAQ1cav+sOv9YlfpW36s1+mc CyuXDh3pbN5biajjImGO1CYN92mq/Jfz/cRnvQub+78T+4w6yAxj53fBNg97tIOI b7EISAnbgGj5akQRGJXJ84iuYij9xTPEOCSbfgAqsWXKz6l/bgSoVUhq/e0/dXKA sr+3pjhi5P7N66SvO+7iEpYI =iM1b -----END PGP SIGNATURE-----
FreeBSD Security Advisory FreeBSD-SA-26:18.setcred
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:18.setcred Security Advisory The FreeBSD Project Topic: Stack buffer overflow via setcred(2) Category: core Module: setcred Announced: 2026-05-20 Credits: Ryan of Calif.io Credits: Przemyslaw Frasunek Affects: All supported versions of FreeBSD. Corrected: 2026-01-06 13:34:30 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:28 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:54 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:54 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:32 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45250 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background System calls are the programmatic interface through which user-space processes request services from the operating system kernel, providing a controlled boundary between unprivileged application code and privileged kernel operations. setcred(2) is a system call which enables a privileged process to atomically set its full credential set, including the real, effective, and saved user and group identifiers, as well as the list of supplementary groups. It is intended for use by programs such as login(1) and PAM(3)-aware authentication frameworks that must transition a process into a target user context in a single, race-free operation, replacing the need for multiple discrete calls to setuid(2), setgid(2), and setgroups(2). II. Problem Description The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. III. Impact Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch.asc # gpg --verify setcred-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch.asc # gpg --verify setcred-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ b6cba9028457 stable/15-n281743 releng/15.0/ d98c0a494a42 releng/15.0-n281038 stable/14/ 8eb0bbbd2e46 stable/14-n274162 releng/14.4/ 34da5845b8d4 releng/14.4-n273702 releng/14.3/ bfff5c180193 releng/14.3-n271502 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://www.cve.org/CVERecord?id=CVE-2026-45250> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:18.setcred.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvSpsP/38o7yHdNEMNMPPOBtKZ 2dn/vmcOo1srkhUx0kl2EVBzirSDsTVkWfUq1Txg5JA7/pG3On/YiaAmUMi9jHqy q0tgkyO/scKGWNDYmFIA9QAXAwwSUZnT+eEwt3IawOzquezD/qr++CCimntSUzsu IP3oMFYaw9JvMF6Z6tTfcYYA02CF7nRrtIJtrxfWkgyDoMoikHsNW4o2LXJTz4bV 2uk7BuQKbDc3gxoEBYd0bulXBa9DHsrfS59eEnbb8txrBjt21aQGjBY8SJSoFyYh yZixmadpZ9J4oTBc03hOO2Z2BN5f/QficGIU4t0wj0A8EcsrspFMDRj2xd/5zi86 VLqiQf6WJbgVyytUe5aYbBPC6eH2TRnMWaOERbocNS6xQKcYpZYqwnVZ77n6tPb4 wKQd+qKYM74lf0BPCBc60h7yo9e6Qd8puGolyL05qdZVB+c3m0qB000gsyNFytFs kQSovaXFf4r0DCEuBixE/Ic5ADwl7A4pCIxqwWwJlnrj77XCobNEQJtajkrapXsU MSLQ20RuRiVNesgyjP9dZCk8enuOl96TwrvdkyqvSJgb0Gw3XEeyCWT4dAE+Fh3A n8RhQeY6YWWk+DOiuw5Q5v2PyoBNoV8jV2AjeXzhIOQsyWGeSYQ2GeFu6PW3UyzQ olNjUPjprNwteRkUuGHmE3zQ =6aG+ -----END PGP SIGNATURE-----
FreeBSD Errata Notice FreeBSD-EN-26:13.freebsd-update
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:13.freebsd-update Errata Notice The FreeBSD Project Topic: freebsd-update attempts to merge a generated file Category: core Module: freebsd-update Announced: 2026-05-20 Affects: All supported versions of FreeBSD. Corrected: 2026-05-19 13:59:37 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:27 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-19 13:59:57 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:53 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:31 UTC (releng/14.3, 14.3-RELEASE-p14) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The freebsd-update utility is used both to apply binary updates for security advisories and errata notices, and to upgrade from one FreeBSD release to another. In the latter scenario, when it detects local changes to a configuration file which is affected by the upgrade, freebsd-update will perform a three-way merge and prompt the user to manually resolve any conflicts between local and incoming changes. The certctl utility has been used since FreeBSD 12.0 to manage a hashed directory of root certificates for use when validating TLS server certificates. Since FreeBSD 15.0, certctl also maintains a bundle for the benefit of applications which either do not support the hashed directory format or need to preload the trust store prior to entering capability mode, a chroot, or similar. II. Problem Description When upgrading from FreeBSD 15.0 to FreeBSD 15.1, freebsd-update incorrectly treats the certificate bundle /etc/ssl/cert.pem as a configuration file. In most cases, the three-way merge results in conflicts which the user is then asked to resolve. The bundle is not human-readable, and merging it serves no purpose since freebsd-update regenerates the entire certificate store at the end of the upgrade. When upgrading from an older FreeBSD release to FreeBSD 15.0 or 15.1, if /etc/ssl/cert.pem is present (e.g. as provided by the ETCSYMLINK option of the security/ca_root_nss port, or manually created by an administrator), freebsd-update will emit a non-fatal error message and pause until the user acknowledges the message. III. Impact Users upgrading from 15.0 to 15.1 may be presented with one or more merge conflicts in thousands of lines of Base64-encoded ASN.1 data. Users upgrading from older releases to 15.0 or 15.1 may encounter a non-fatal error message with no clear resolution, reducing user confidence in the upgrade process. IV. Workaround If prompted to resolve conflicts, exit the editor and force freebsd-update to accept the unmerged file by typing "ACCEPT" (all upper-case, without the quotes). The bundle will be regenerated at the end of the upgrade process and the system will be fully functional. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-26:13/freebsd-update.patch # fetch https://security.FreeBSD.org/patches/EN-26:13/freebsd-update.patch.asc # gpg --verify freebsd-update.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ b97f143b6ca9 stable/15-n283610 releng/15.0/ 2709755d39f5 releng/15.0-n281037 stable/14/ 7d9c1d3895b3 stable/14-n274144 releng/14.4/ 081a9e933033 releng/14.4-n273701 releng/14.3/ a1b3818746e3 releng/14.3-n271501 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:13.freebsd-update.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGEbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvgJQP/RY20Qr2cM3gsEsVSt5+ xXS/yCXu+IZq/ALOzw4RvqzdqvVzlA3U2VgSXpucnkrV0rABc7yxLbmvTVj6GOG7 yvKXSmV58akQoUbnOtwHZF4x+4A9+Y3BzGIWUrzh014ll4MyhGw/4ekFiu36J0Mg QBDPkAy+3jrCTE3i2aAF1w1gLYdyIfDwGYQHqpPCsMmGhHuleogGqmhc5pH2J30g fPRLe8a4njizX5aT15TZvo6U5sQC6tll4DBUqTWh6k49XxSELKQwYgXhqhespI++ yZ327VPwkVgaYI0C96LCV5SVB811BvFAKXKzjItKOWpJyg6HpB8hiSEubqlWW7zX vltqLyf8qe15wZPvrs1kgX2kH9ZJXYwJ9W5z5kY8sk/DCYos+bxtEQ47CU5u6/nF h01i3mAwOdh0/br7Y7hRS4eekNg9XUpu9dakJdhpJjbRylS6I6wK/C/f89L+qmgP 4jq20TCFHQ2riVHxhOG3nSGkP+5CsIUnjg94x/EKK9xA9DZb0D5/Vy+hQYhJ5qza q5TKkv72vb32LKFKvzXXJbCrRlJr6bmCOMXYRGZwDzKzfd5jrVwzlIfooiaQ28bj g2egNBCe69H0SboydGi6J4yciBn3TeBHilfPuDLxs2eRZmYFd4wVD4wnigsysL2J JETeDqmCxDDqbzhIYf3XL7Pt =zyAg -----END PGP SIGNATURE-----
[USN-8283-1] rsync vulnerabilities
========================================================================== Ubuntu Security Notice USN-8283-1 May 20, 2026 rsync vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in rsync. Software Description: - rsync: fast, versatile, remote (and local) file-copying tool Details: Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers. A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-10158) Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that rsync daemons configured without chroot protection were exposed to a race condition on parent path components. A local attacker with write access to a module could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-29518) It was discovered that rsync did not properly validate a length value while sorting extended attributes. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-41035) It was discovered that rsync performed reverse-DNS lookups after chrooting in some daemon configurations. A remote attacker could possibly use this issue to bypass hostname-based access controls and access network services. (CVE-2026-43617) Omar Elsayed discovered that rsync did not properly check for integer overflows while decoding compressed tokens. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43618) Andrew Tridgell discovered that rsync did not fully fix a symlink race condition in path-based system calls for daemons configured without chroot protection. A local attacker could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-43619) Pratham Gupta discovered that rsync did not properly validate an index while processing file lists. A remote attacker could possibly use this issue to cause rsync to crash, resulting in a denial of service. (CVE-2026-43620) Michal Ruprich discovered that rsync contained an off-by-one error while handling HTTP proxy responses. An attacker able to intercept network communications or a malicious proxy server could possibly use this issue to cause a denial of service. (CVE-2026-45232) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS rsync 3.4.1+ds1-7ubuntu0.2 Ubuntu 25.10 rsync 3.4.1+ds1-5ubuntu1.2 Ubuntu 24.04 LTS rsync 3.2.7-1ubuntu1.4 Ubuntu 22.04 LTS rsync 3.2.7-0ubuntu0.22.04.6 In general, a standard system update will make all the necessary changes. After a standard system update you need to restart rsync daemons if configured to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8283-1 CVE-2025-10158, CVE-2026-29518, CVE-2026-41035, CVE-2026-43617, CVE-2026-43618, CVE-2026-43619, CVE-2026-43620, CVE-2026-45232 Package Information: https://launchpad.net/ubuntu/+source/rsync/3.4.1+ds1-7ubuntu0.2 https://launchpad.net/ubuntu/+source/rsync/3.4.1+ds1-5ubuntu1.2 https://launchpad.net/ubuntu/+source/rsync/3.2.7-1ubuntu1.4 https://launchpad.net/ubuntu/+source/rsync/3.2.7-0ubuntu0.22.04.6
[USN-8285-1] GStreamer Good Plugins vulnerability
========================================================================== Ubuntu Security Notice USN-8285-1 May 20, 2026 gst-plugins-good1.0 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 Summary: GStreamer Good Plugins could be made to crash or run programs if it opened a specially crafted file. Software Description: - gst-plugins-good1.0: GStreamer plugins Details: It was discovered that GStreamer Good Plugins incorrectly handled certain MOV/MP4 media files. A remote attacker could use this issue to cause GStreamer Good Plugins to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 gstreamer1.0-plugins-good 1.26.5-1ubuntu2.2 libgstreamer-plugins-good1.0-0 1.26.5-1ubuntu2.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8285-1 CVE-2026-5056 Package Information: https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.26.5-1ubuntu2.2
[USN-8286-1] OpenVPN vulnerabilities
========================================================================== Ubuntu Security Notice USN-8286-1 May 20, 2026 openvpn vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in OpenVPN. Software Description: - openvpn: virtual private network software Details: Guannan Wang, Zhanpeng Liu, Guancheng Li, and Emma Reuter discovered that OpenVPN incorrectly handled suitably malformed packets with valid tls-crypt-v2 keys. An attacker could possibly use this issue to cause OpenVPN to crash, resulting in a denial of service. (CVE-2026-35058) Guannan Wang, Zhanpeng Liu, and Guancheng Li discovered that OpenVPN had a race condition in the TLS handshake process that could leak packet data from a previous handshake under certain circumstances. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-40215) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS openvpn 2.7.0-1ubuntu1.1 Ubuntu 25.10 openvpn 2.6.19-0ubuntu0.25.10.2 Ubuntu 24.04 LTS openvpn 2.6.19-0ubuntu0.24.04.2 Ubuntu 22.04 LTS openvpn 2.5.11-0ubuntu0.22.04.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8286-1 CVE-2026-35058, CVE-2026-40215 Package Information: https://launchpad.net/ubuntu/+source/openvpn/2.7.0-1ubuntu1.1 https://launchpad.net/ubuntu/+source/openvpn/2.6.19-0ubuntu0.25.10.2 https://launchpad.net/ubuntu/+source/openvpn/2.6.19-0ubuntu0.24.04.2 https://launchpad.net/ubuntu/+source/openvpn/2.5.11-0ubuntu0.22.04.3
Tuesday, May 19, 2026
[USN-8280-1] Linux kernel vulnerabilities
========================================================================== Ubuntu Security Notice USN-8280-1 May 19, 2026 linux, linux-aws, linux-aws-fips, linux-bluefield, linux-fips, linux-gcp, linux-gcp-5.4, linux-gcp-fips, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-aws-fips: Linux kernel for Amazon Web Services (AWS) systems with FIPS - linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-fips: Linux kernel with FIPS - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-gcp-fips: Linux kernel for Google Cloud Platform (GCP) systems with FIPS - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors - linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems - linux-ibm-5.4: Linux kernel for IBM cloud systems - linux-oracle-5.4: Linux kernel for Oracle Cloud systems Details: It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Packet sockets; - TLS protocol; (CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.4.0-1077-xilinx-zynqmp 5.4.0-1077.81 Available with Ubuntu Pro linux-image-5.4.0-1105-ibm 5.4.0-1105.110 Available with Ubuntu Pro linux-image-5.4.0-1118-bluefield 5.4.0-1118.125 Available with Ubuntu Pro linux-image-5.4.0-1133-fips 5.4.0-1133.143 Available with Ubuntu Pro linux-image-5.4.0-1146-kvm 5.4.0-1146.155 Available with Ubuntu Pro linux-image-5.4.0-1157-oracle 5.4.0-1157.167 Available with Ubuntu Pro linux-image-5.4.0-1159-aws 5.4.0-1159.169 Available with Ubuntu Pro linux-image-5.4.0-1159-aws-fips 5.4.0-1159.169+fips1 Available with Ubuntu Pro linux-image-5.4.0-1162-gcp 5.4.0-1162.171 Available with Ubuntu Pro linux-image-5.4.0-1162-gcp-fips 5.4.0-1162.171+fips1 Available with Ubuntu Pro linux-image-5.4.0-230-generic 5.4.0-230.250 Available with Ubuntu Pro linux-image-5.4.0-230-generic-lpae 5.4.0-230.250 Available with Ubuntu Pro linux-image-5.4.0-230-lowlatency 5.4.0-230.250 Available with Ubuntu Pro linux-image-aws-5.4 5.4.0.1159.156 Available with Ubuntu Pro linux-image-aws-fips 5.4.0.1159.106 Available with Ubuntu Pro linux-image-aws-fips-5.4 5.4.0.1159.106 Available with Ubuntu Pro linux-image-aws-lts-20.04 5.4.0.1159.156 Available with Ubuntu Pro linux-image-bluefield 5.4.0.1118.114 Available with Ubuntu Pro linux-image-bluefield-5.4 5.4.0.1118.114 Available with Ubuntu Pro linux-image-fips 5.4.0.1133.130 Available with Ubuntu Pro linux-image-fips-5.4 5.4.0.1133.130 Available with Ubuntu Pro linux-image-gcp-5.4 5.4.0.1162.164 Available with Ubuntu Pro linux-image-gcp-fips 5.4.0.1162.104 Available with Ubuntu Pro linux-image-gcp-fips-5.4 5.4.0.1162.104 Available with Ubuntu Pro linux-image-gcp-lts-20.04 5.4.0.1162.164 Available with Ubuntu Pro linux-image-generic 5.4.0.230.222 Available with Ubuntu Pro linux-image-generic-5.4 5.4.0.230.222 Available with Ubuntu Pro linux-image-generic-lpae 5.4.0.230.222 Available with Ubuntu Pro linux-image-generic-lpae-5.4 5.4.0.230.222 Available with Ubuntu Pro linux-image-ibm-5.4 5.4.0.1105.134 Available with Ubuntu Pro linux-image-ibm-lts-20.04 5.4.0.1105.134 Available with Ubuntu Pro linux-image-kvm 5.4.0.1146.142 Available with Ubuntu Pro linux-image-kvm-5.4 5.4.0.1146.142 Available with Ubuntu Pro linux-image-lowlatency 5.4.0.230.222 Available with Ubuntu Pro linux-image-lowlatency-5.4 5.4.0.230.222 Available with Ubuntu Pro linux-image-oem 5.4.0.230.222 Available with Ubuntu Pro linux-image-oem-osp1 5.4.0.230.222 Available with Ubuntu Pro linux-image-oracle-5.4 5.4.0.1157.151 Available with Ubuntu Pro linux-image-oracle-lts-20.04 5.4.0.1157.151 Available with Ubuntu Pro linux-image-virtual 5.4.0.230.222 Available with Ubuntu Pro linux-image-virtual-5.4 5.4.0.230.222 Available with Ubuntu Pro linux-image-xilinx-zynqmp 5.4.0.1077.77 Available with Ubuntu Pro linux-image-xilinx-zynqmp-5.4 5.4.0.1077.77 Available with Ubuntu Pro Ubuntu 18.04 LTS linux-image-5.4.0-1105-ibm 5.4.0-1105.110~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1157-oracle 5.4.0-1157.167~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1162-gcp 5.4.0-1162.171~18.04.1 Available with Ubuntu Pro linux-image-gcp 5.4.0.1162.171~18.04.1 Available with Ubuntu Pro linux-image-gcp-5.4 5.4.0.1162.171~18.04.1 Available with Ubuntu Pro linux-image-ibm 5.4.0.1105.110~18.04.1 Available with Ubuntu Pro linux-image-ibm-5.4 5.4.0.1105.110~18.04.1 Available with Ubuntu Pro linux-image-oracle 5.4.0.1157.167~18.04.1 Available with Ubuntu Pro linux-image-oracle-5.4 5.4.0.1157.167~18.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8280-1 CVE-2026-31431, CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078