Canonical Ubuntu Linux 22.04 Lts Edition

Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).

Published: 2025-05-30T17:37:01.006Z
Updated: 2025-11-03T20:05:43.609Z

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

Published: 2025-06-30T00:00:00.000Z
Updated: 2026-02-26T17:50:20.931Z

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Published: 2024-07-16T21:43:46.239Z
Updated: 2024-10-15T13:12:30.559Z

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Published: 2024-07-01T12:37:25.431Z
Updated: 2026-05-12T11:39:26.672Z

Heap buffer overflow in WebRTC in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Published: 2024-05-30T23:02:39.646Z
Updated: 2025-02-13T17:54:16.108Z

NVIDIA CV-CUDA for Ubuntu 20.04, Ubuntu 22.04, and Jetpack contains a vulnerability in Python APIs where a user may cause an uncontrolled resource consumption issue by a long running CV-CUDA Python process. A successful exploit of this vulnerability may lead to denial of service and data loss.

Published: 2024-08-09T02:23:48.661Z
Updated: 2024-08-09T17:16:21.280Z

In Ubuntu, gnome-control-center did not properly reflect SSH remote login status when the system was configured to use systemd socket activation for openssh-server. This could unknowingly leave the local machine exposed to remote SSH access contrary to expectation of the user.

Published: 2025-04-15T18:29:54.565Z
Updated: 2025-04-15T20:51:31.399Z

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Published: 2023-10-03T17:25:08.434Z
Updated: 2026-05-12T10:18:01.935Z

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

Published: 2023-12-08T00:00:00.000Z
Updated: 2025-11-04T19:25:32.700Z

PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin.

Published: 2023-09-26T00:00:00.000Z
Updated: 2024-09-24T18:11:55.076Z

An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.

Published: 2023-08-14T00:00:00.000Z
Updated: 2026-02-25T17:20:11.768Z

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.

Published: 2023-09-06T13:50:26.344Z
Updated: 2025-02-13T17:01:35.796Z

A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.

Published: 2023-07-24T15:19:19.795Z
Updated: 2025-11-06T19:46:34.822Z

A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer. We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).

Published: 2023-06-28T19:33:55.097Z
Updated: 2025-03-05T18:55:17.919Z

In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.

Published: 2023-09-01T20:49:43.576Z
Updated: 2024-09-30T20:19:08.943Z

In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.

Published: 2023-09-01T20:49:43.576Z
Updated: 2024-09-30T20:19:08.943Z

An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

Published: 2023-06-16T00:00:00.000Z
Updated: 2025-05-05T15:57:20.355Z

Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace

Published: 2023-07-05T18:33:59.665Z
Updated: 2025-03-05T18:54:52.842Z

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu Linux kernel contained a race condition when handling inode locking in some situations. A local attacker could use this to cause a denial of service (kernel deadlock).

Published: 2023-05-30T23:12:29.867Z
Updated: 2025-02-13T16:44:50.457Z

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.

Published: 2023-04-26T22:23:47.305Z
Updated: 2025-02-13T16:39:30.230Z

Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.

Published: 2023-09-01T18:41:47.820Z
Updated: 2024-10-01T13:08:45.851Z

A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.

Published: 2023-03-27T00:00:00.000Z
Updated: 2024-08-02T05:49:10.358Z

A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.

Published: 2023-04-13T22:35:19.704Z
Updated: 2025-02-07T15:54:48.365Z

The Linux kernel io_uring IORING_OP_SOCKET operation contained a double free in function __sys_socket_file() in file net/socket.c. This issue was introduced in da214a475f8bd1d3e9e7a19ddfeb4d1617551bab and fixed in 649c15c7691e9b13cbe9bf6c65c365350e056067.

Published: 2024-01-08T18:11:31.951Z
Updated: 2024-08-27T15:48:22.031Z

A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

Published: 2023-03-22T00:00:00.000Z
Updated: 2025-10-21T23:15:22.744Z

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.

Published: 2023-03-27T00:00:00.000Z
Updated: 2025-02-19T16:12:13.054Z

mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move.

Published: 2022-09-21T00:00:00.000Z
Updated: 2025-05-28T15:28:00.387Z

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.

Published: 2022-10-31T00:00:00.000Z
Updated: 2025-05-06T18:29:51.839Z

Race condition in snap-confine's must_mkdir_and_open_with_perms()

Published: 2024-01-08T18:04:10.534Z
Updated: 2025-06-03T14:35:04.952Z

An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

Published: 2022-07-04T20:07:32.000Z
Updated: 2024-08-03T09:22:10.749Z

io_uring UAF, Unix SCM garbage collection

Published: 2024-01-08T17:56:16.403Z
Updated: 2025-04-17T17:54:49.459Z

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.

Published: 2024-01-08T17:50:47.948Z
Updated: 2025-05-22T18:23:25.184Z

It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.

Published: 2024-01-08T17:46:06.110Z
Updated: 2025-10-21T23:05:29.297Z

It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free.

Published: 2024-01-08T17:38:27.327Z
Updated: 2024-09-04T19:03:25.626Z

Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.

Published: 2023-04-19T21:47:41.034Z
Updated: 2025-02-05T14:42:29.207Z

Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

Published: 2022-05-17T16:50:12.000Z
Updated: 2025-04-21T13:53:27.216Z

Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing

Published: 2024-06-04T22:03:53.633Z
Updated: 2024-10-27T14:58:19.533Z

Apport does not disable python crash handler before entering chroot

Published: 2024-06-04T22:02:26.017Z
Updated: 2024-08-03T05:56:16.428Z

is_closing_session() allows users to consume RAM in the Apport process

Published: 2024-06-04T21:58:44.839Z
Updated: 2025-03-19T17:42:19.680Z

is_closing_session() allows users to create arbitrary tcp dbus connections

Published: 2024-06-04T21:56:50.616Z
Updated: 2024-10-27T17:49:04.264Z

is_closing_session() allows users to fill up apport.log

Published: 2024-06-04T21:54:37.199Z
Updated: 2024-10-27T17:48:06.702Z

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

Published: 2024-06-04T21:38:44.324Z
Updated: 2025-03-13T18:21:18.146Z

accountsservice no longer drops permissions when writting .pam_environment

Published: 2025-03-25T12:28:08.041Z
Updated: 2025-03-25T12:58:47.368Z

Ubuntu's configuration of gnome-control-center allowed Remote Desktop Sharing to be enabled by default.

Published: 2025-01-31T01:35:46.759Z
Updated: 2025-02-07T16:07:47.540Z

Apport can be tricked into connecting to arbitrary sockets as the root user

Published: 2024-06-03T18:48:02.281Z
Updated: 2025-03-27T19:31:12.082Z

A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5

Published: 2022-03-29T15:05:13.000Z
Updated: 2024-08-02T23:47:43.302Z

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

Published: 2022-03-03T00:00:00.000Z
Updated: 2026-06-03T03:55:20.847Z

There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root.

Published: 2024-06-03T18:40:32.847Z
Updated: 2024-08-19T14:10:41.358Z