Canonical Ubuntu Linux 18.04 ESM Edition

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.

Published: 2023-04-26T22:23:47.305Z
Updated: 2025-02-13T16:39:30.230Z

Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.

Published: 2023-09-01T18:41:47.820Z
Updated: 2024-10-01T13:08:45.851Z

Race condition in snap-confine's must_mkdir_and_open_with_perms()

Published: 2024-01-08T18:04:10.534Z
Updated: 2025-06-03T14:35:04.952Z

io_uring UAF, Unix SCM garbage collection

Published: 2024-01-08T17:56:16.403Z
Updated: 2025-04-17T17:54:49.459Z

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.

Published: 2024-01-08T17:50:47.948Z
Updated: 2025-05-22T18:23:25.184Z

It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.

Published: 2024-01-08T17:46:06.110Z
Updated: 2025-10-21T23:05:29.297Z

Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing

Published: 2024-06-04T22:03:53.633Z
Updated: 2024-10-27T14:58:19.533Z

Apport does not disable python crash handler before entering chroot

Published: 2024-06-04T22:02:26.017Z
Updated: 2024-08-03T05:56:16.428Z

is_closing_session() allows users to consume RAM in the Apport process

Published: 2024-06-04T21:58:44.839Z
Updated: 2025-03-19T17:42:19.680Z

is_closing_session() allows users to create arbitrary tcp dbus connections

Published: 2024-06-04T21:56:50.616Z
Updated: 2024-10-27T17:49:04.264Z

is_closing_session() allows users to fill up apport.log

Published: 2024-06-04T21:54:37.199Z
Updated: 2024-10-27T17:48:06.702Z

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

Published: 2024-06-04T21:38:44.324Z
Updated: 2025-03-13T18:21:18.146Z

A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.

Published: 2022-08-29T00:00:00.000Z
Updated: 2024-08-02T23:55:24.530Z

It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.

Published: 2024-01-08T18:16:42.087Z
Updated: 2024-09-04T15:38:28.022Z

In FreeRDP before version 2.1.2, there is an out of bounds read in RLEDECOMPRESS. All FreeRDP based clients with sessions with color depth < 32 are affected. This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T07:52:20.833Z

In FreeRDP before version 2.1.2, there is an integer casting vulnerability in update_recv_secondary_order. All clients with +glyph-cache /relax-order-checks are affected. This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T07:52:20.674Z

In FreeRDP before version 2.1.2, there is a use-after-free in gdi_SelectObject. All FreeRDP clients using compatibility mode with /relax-order-checks are affected. This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T07:52:20.811Z

In FreeRDP before version 2.1.2, there is an out of bounds read in TrioParse. Logging might bypass string length checks due to an integer overflow. This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T07:52:20.821Z

Net-SNMP through 5.8 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root.

Published: 2020-08-19T00:00:00.000Z
Updated: 2024-08-04T13:30:22.680Z

In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a `memcpy`) This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto

Published: 2020-07-27T00:00:00.000Z
Updated: 2024-08-04T13:08:21.774Z

An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) write vulnerability has been detected in crypto_rsa_common in libfreerdp/crypto/crypto.c.

Published: 2020-05-22T00:00:00.000Z
Updated: 2024-08-04T12:18:17.772Z

An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in security_fips_decrypt in libfreerdp/core/security.c due to an uninitialized value.

Published: 2020-05-22T00:00:00.000Z
Updated: 2024-08-04T12:18:17.726Z

An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c.

Published: 2020-05-22T00:00:00.000Z
Updated: 2024-08-04T12:18:17.917Z

In FreeRDP before version 2.1.2, there is an out of bounds read in license_read_new_or_upgrade_license_packet. A manipulated license packet can lead to out of bound reads to an internal buffer. This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T11:21:14.623Z

In FreeRDP before version 2.1.2, there is an out-of-bound read in glyph_cache_put. This affects all FreeRDP clients with `+glyph-cache` option enabled This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T11:21:14.493Z

In FreeRDP before version 2.1.2, an out of bounds read occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T11:21:14.615Z

In FreeRDP before version 2.1.2, there is a global OOB read in update_read_cache_bitmap_v3_order. As a workaround, one can disable bitmap cache with -bitmap-cache (default). This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T11:21:14.608Z

In FreeRDP before version 2.1.2, an out of bound reads occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2.

Published: 2020-06-22T00:00:00.000Z
Updated: 2024-08-04T11:21:14.625Z

In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds seek in rdp_read_font_capability_set could lead to a later out-of-bounds read. As a result, a manipulated client or server might force a disconnect due to an invalid data read. This has been fixed in 2.0.0.

Published: 2020-05-12T00:00:00.000Z
Updated: 2024-08-04T11:21:14.624Z

In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bound read of client memory that is then passed on to the protocol parser. This has been patched in 2.0.0.

Published: 2020-05-07T00:00:00.000Z
Updated: 2024-08-04T11:21:14.582Z

In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bounds read. It only allows to abort a session. No data extraction is possible. This has been fixed in 2.0.0.

Published: 2020-05-07T00:00:00.000Z
Updated: 2024-08-04T11:21:14.514Z

In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bounds read in autodetect_recv_bandwidth_measure_results. A malicious server can extract up to 8 bytes of client memory with a manipulated message by providing a short input and reading the measurement result data. This has been patched in 2.0.0.

Published: 2020-05-07T00:00:00.000Z
Updated: 2024-08-04T11:21:14.613Z

In FreeRDP after 1.0 and before 2.0.0, there is a stream out-of-bounds seek in update_read_synchronize that could lead to a later out-of-bounds read.

Published: 2020-05-07T00:00:00.000Z
Updated: 2024-08-04T11:21:14.384Z

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.

Published: 2019-02-24T00:00:00.000Z
Updated: 2024-08-04T21:38:46.323Z

An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.

Published: 2019-02-15T23:00:00.000Z
Updated: 2024-08-04T21:17:30.508Z

usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init.

Published: 2020-03-06T00:00:00.000Z
Updated: 2024-08-05T02:46:08.498Z

check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.

Published: 2019-08-16T13:44:50.000Z
Updated: 2024-08-05T00:34:53.229Z

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.

Published: 2019-07-17T12:32:55.000Z
Updated: 2025-10-21T23:45:33.569Z

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Published: 2019-04-08T21:31:09.000Z
Updated: 2025-10-21T23:45:40.583Z

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).

Published: 2018-10-17T01:00:00.000Z
Updated: 2024-10-02T19:44:27.995Z

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Published: 2018-04-19T02:00:00.000Z
Updated: 2025-05-06T14:58:56.664Z

An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.

Published: 2018-12-26T20:00:00.000Z
Updated: 2024-08-05T11:44:20.667Z

Improper input validation together with an integer overflow in the EAP-TLS protocol implementation in PPPD may cause a crash, information disclosure, or authentication bypass. This implementation is distributed as a patch for PPPD 0.91, and includes the affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option are unaffected.

Published: 2018-06-14T20:00:00.000Z
Updated: 2025-12-03T21:09:49.904Z

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Published: 2017-10-03T15:00:00.000Z
Updated: 2025-10-21T23:55:32.381Z

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

Published: 2017-05-23T03:56:00.000Z
Updated: 2025-12-04T16:36:07.397Z

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

Published: 2017-05-23T03:56:00.000Z
Updated: 2024-08-06T02:59:03.590Z

The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) allows remote attackers to obtain sensitive information or cause a denial of service via an image with a crafted ICC profile, which triggers an out-of-bounds heap read.

Published: 2017-02-03T19:00:00.000Z
Updated: 2024-08-06T03:14:42.619Z