<?xml version='1.0' encoding='UTF-8'?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0"><channel><title>Ubuntu security notices</title><link>https://ubuntu.com/security/notices/rss.xml</link><description>Recent content on Ubuntu security notices</description><atom:link href="https://ubuntu.com/security/notices/rss.xml" rel="self"/><copyright>2026 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.</copyright><docs>http://www.rssboard.org/rss-specification</docs><generator>Feedgen</generator><lastBuildDate>Thu, 09 Jul 2026 15:17:07 +0000</lastBuildDate><item><title>USN-8522-1: LibRaw vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8522-1</link><description>It was discovered that LibRaw incorrectly handled certain Nikon RAW image
files. An attacker could possibly use this issue to cause LibRaw to crash,
resulting in a denial of service. (CVE-2026-5342)

It was discovered that LibRaw had an integer overflow in its DNG image
loader. An attacker could possibly use this issue to cause LibRaw to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-20884)

It was discovered that LibRaw incorrectly handled certain X3F thumbnail
data. An attacker could possibly use this issue to cause LibRaw to crash,
resulting in a denial of service, or execute arbitrary code.
(CVE-2026-20889)

It was discovered that LibRaw had a heap-based buffer overflow in its
lossless JPEG image loader. An attacker could possibly use this issue to
cause LibRaw to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-21413)

It was discovered that LibRaw had an integer overflow in its uncompressed
floating-point DNG image loader. An attacker could possibly use this issue
to cause LibRaw to crash, resulting in a denial of service, or execute
arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.04.
(CVE-2026-24450)

It was discovered that LibRaw had a heap-based buffer overflow in its X3F
Huffman decoder. An attacker could possibly use this issue to cause LibRaw
to crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-24660)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8522-1</guid><pubDate>Thu, 09 Jul 2026 12:45:50 +0000</pubDate></item><item><title>USN-8521-1: Libidn vulnerability</title><link>https://ubuntu.com/security/notices/USN-8521-1</link><description>It was discovered that Libidn incorrectly handled certain internationalized
domain name strings. An attacker could possibly use this issue to obtain
sensitive information or cause a denial of service.</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8521-1</guid><pubDate>Thu, 09 Jul 2026 12:36:22 +0000</pubDate></item><item><title>USN-8520-1: Expat vulnerability</title><link>https://ubuntu.com/security/notices/USN-8520-1</link><description>It was discovered that Expat used insufficient entropy when generating
hash salt values for its internal hash table. An attacker could use this
to craft an XML document that triggers hash flooding, leading to a
denial of service.</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8520-1</guid><pubDate>Thu, 09 Jul 2026 11:51:02 +0000</pubDate></item><item><title>USN-8519-1: Go Cryptography vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8519-1</link><description>Jakub Ciolek and Nicola Murino discovered that Go Cryptography incorrectly
handled SSH agent responses. An attacker could use this to cause a denial
of service. (CVE-2025-47913)

Yuichi Watanabe discovered that Go Cryptography incorrectly handled SSH
key exchanges. An attacker could use this to cause a denial of service.
(CVE-2025-22869)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8519-1</guid><pubDate>Thu, 09 Jul 2026 08:41:10 +0000</pubDate></item><item><title>USN-8492-4: Linux kernel (Raspberry Pi) vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8492-4</link><description>Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
  - ARM64 architecture;
  - MIPS architecture;
  - PowerPC architecture;
  - x86 architecture;
  - Block layer subsystem;
  - Cryptographic API;
  - ACPI drivers;
  - ATM drivers;
  - RNBD block device driver;
  - Ublk userspace block driver;
  - Bus devices;
  - Character device driver;
  - TPM device driver;
  - Clock framework and drivers;
  - Clocksource drivers;
  - CPU idle management framework;
  - Hardware crypto device drivers;
  - DMA engine subsystem;
  - EFI core;
  - GPIO subsystem;
  - GPU drivers;
  - HID subsystem;
  - Hardware monitoring drivers;
  - IIO subsystem;
  - InfiniBand drivers;
  - IOMMU subsystem;
  - Multiple devices driver;
  - Media drivers;
  - Multifunction device drivers;
  - Broadcom VK accelerator driver;
  - MOST (Media Oriented Systems Transport) drivers;
  - MTD block device drivers;
  - Ethernet bonding driver;
  - Network drivers;
  - Mellanox network drivers;
  - STMicroelectronics network drivers;
  - NTB driver;
  - NVME drivers;
  - PCI subsystem;
  - Performance monitor drivers;
  - Pin controllers subsystem;
  - x86 platform drivers;
  - Power supply drivers;
  - RapidIO drivers;
  - RAS (Reliability, Availability, Serviceability) subsystem;
  - Remote Processor subsystem;
  - RPMSG subsystem;
  - S/390 drivers;
  - SCSI subsystem;
  - MediaTek SoC drivers;
  - Texas Instruments SoC drivers;
  - SPI subsystem;
  - Greybus lights staging drivers;
  - Realtek RTL8723BS SDIO drivers;
  - UFS subsystem;
  - ChipIdea USB driver;
  - DesignWare USB3 driver;
  - USB over IP driver;
  - vDPA drivers;
  - Virtio Host (VHOST) subsystem;
  - Framebuffer layer;
  - BTRFS file system;
  - File systems infrastructure;
  - Ceph distributed file system;
  - Ext4 file system;
  - F2FS file system;
  - FAT file system;
  - GFS2 file system;
  - HFS+ file system;
  - JFS file system;
  - Network file system (NFS) server daemon;
  - NILFS2 file system;
  - NTFS3 file system;
  - OCFS2 file system;
  - Proc file system;
  - Pstore file system;
  - Diskquota system;
  - SMB network file system;
  - XFS file system;
  - Audit subsystem;
  - Memory Management;
  - IPv6 networking;
  - Netfilter;
  - Tracing infrastructure;
  - Kernel kexec() syscall;
  - RCU subsystem;
  - Scheduler infrastructure;
  - Scatterlist API;
  - 9P file system network protocol;
  - Asynchronous Transfer Mode (ATM) subsystem;
  - B.A.T.M.A.N. meshing protocol;
  - Bluetooth subsystem;
  - Ethernet bridge;
  - Ceph Core library;
  - Networking core;
  - IPv4 networking;
  - KCM (Kernel Connection Multiplexor) sockets driver;
  - Multipath TCP;
  - NFC subsystem;
  - RDS protocol;
  - RxRPC session sockets;
  - Network traffic control;
  - SMC sockets;
  - Sun RPC protocol;
  - X.25 network layer;
  - XFRM subsystem;
  - AppArmor security module;
  - Simplified Mandatory Access Control Kernel framework;
  - SOF drivers;
  - USB sound devices;
(CVE-2025-40005, CVE-2025-71229, CVE-2025-71231, CVE-2025-71232,
CVE-2025-71233, CVE-2025-71235, CVE-2025-71236, CVE-2025-71237,
CVE-2025-71238, CVE-2025-71239, CVE-2025-71265, CVE-2025-71266,
CVE-2025-71267, CVE-2025-71272, CVE-2025-71273, CVE-2025-71274,
CVE-2025-71286, CVE-2025-71291, CVE-2025-71292, CVE-2025-71294,
CVE-2025-71295, CVE-2025-71297, CVE-2025-71304, CVE-2025-71305,
CVE-2026-23100, CVE-2026-23169, CVE-2026-23220, CVE-2026-23221,
CVE-2026-23222, CVE-2026-23228, CVE-2026-23229, CVE-2026-23230,
CVE-2026-23233, CVE-2026-23234, CVE-2026-23235, CVE-2026-23236,
CVE-2026-23237, CVE-2026-23238, CVE-2026-23241, CVE-2026-23242,
CVE-2026-23243, CVE-2026-23249, CVE-2026-23266, CVE-2026-23267,
CVE-2026-23272, CVE-2026-23278, CVE-2026-23392, CVE-2026-23428,
CVE-2026-23450, CVE-2026-23455, CVE-2026-31402, CVE-2026-31411,
CVE-2026-31418, CVE-2026-31436, CVE-2026-31448, CVE-2026-31478,
CVE-2026-31607, CVE-2026-31637, CVE-2026-31649, CVE-2026-31657,
CVE-2026-31659, CVE-2026-31668, CVE-2026-31669, CVE-2026-31682,
CVE-2026-31685, CVE-2026-31687, CVE-2026-31693, CVE-2026-43011,
CVE-2026-43037, CVE-2026-43038, CVE-2026-43071, CVE-2026-43114,
CVE-2026-43117, CVE-2026-43123, CVE-2026-43124, CVE-2026-43128,
CVE-2026-43130, CVE-2026-43132, CVE-2026-43133, CVE-2026-43134,
CVE-2026-43135, CVE-2026-43136, CVE-2026-43137, CVE-2026-43139,
CVE-2026-43140, CVE-2026-43141, CVE-2026-43143, CVE-2026-43145,
CVE-2026-43147, CVE-2026-43148, CVE-2026-43149, CVE-2026-43150,
CVE-2026-43152, CVE-2026-43153, CVE-2026-43156, CVE-2026-43157,
CVE-2026-43158, CVE-2026-43159, CVE-2026-43163, CVE-2026-43167,
CVE-2026-43168, CVE-2026-43169, CVE-2026-43170, CVE-2026-43171,
CVE-2026-43173, CVE-2026-43175, CVE-2026-43180, CVE-2026-43182,
CVE-2026-43183, CVE-2026-43184, CVE-2026-43186, CVE-2026-43187,
CVE-2026-43189, CVE-2026-43190, CVE-2026-43194, CVE-2026-43196,
CVE-2026-43199, CVE-2026-43200, CVE-2026-43201, CVE-2026-43202,
CVE-2026-43203, CVE-2026-43205, CVE-2026-43206, CVE-2026-43207,
CVE-2026-43209, CVE-2026-43211, CVE-2026-43212, CVE-2026-43214,
CVE-2026-43215, CVE-2026-43218, CVE-2026-43221, CVE-2026-43222,
CVE-2026-43223, CVE-2026-43225, CVE-2026-43226, CVE-2026-43227,
CVE-2026-43230, CVE-2026-43231, CVE-2026-43232, CVE-2026-43233,
CVE-2026-43236, CVE-2026-43238, CVE-2026-43239, CVE-2026-43241,
CVE-2026-43242, CVE-2026-43244, CVE-2026-43246, CVE-2026-43248,
CVE-2026-43249, CVE-2026-43250, CVE-2026-43251, CVE-2026-43253,
CVE-2026-43255, CVE-2026-43256, CVE-2026-43257, CVE-2026-43258,
CVE-2026-43261, CVE-2026-43262, CVE-2026-43264, CVE-2026-43266,
CVE-2026-43268, CVE-2026-43269, CVE-2026-43270, CVE-2026-43271,
CVE-2026-43273, CVE-2026-43275, CVE-2026-43277, CVE-2026-43278,
CVE-2026-43279, CVE-2026-43283, CVE-2026-43287, CVE-2026-43288,
CVE-2026-43289, CVE-2026-43291, CVE-2026-43295, CVE-2026-43296,
CVE-2026-43297, CVE-2026-43300, CVE-2026-43302, CVE-2026-43304,
CVE-2026-43312, CVE-2026-43313, CVE-2026-43314, CVE-2026-43315,
CVE-2026-43316, CVE-2026-43317, CVE-2026-43318, CVE-2026-43319,
CVE-2026-43320, CVE-2026-43341, CVE-2026-43378, CVE-2026-43383,
CVE-2026-43384, CVE-2026-43406, CVE-2026-43407, CVE-2026-43414,
CVE-2026-43493, CVE-2026-43501, CVE-2026-45847, CVE-2026-45848,
CVE-2026-45849, CVE-2026-45851, CVE-2026-45852, CVE-2026-45856,
CVE-2026-45857, CVE-2026-45859, CVE-2026-45860, CVE-2026-45861,
CVE-2026-45862, CVE-2026-45864, CVE-2026-45865, CVE-2026-45866,
CVE-2026-45867, CVE-2026-45868, CVE-2026-45869, CVE-2026-45870,
CVE-2026-45871, CVE-2026-45872, CVE-2026-45873, CVE-2026-45875,
CVE-2026-45877, CVE-2026-45878, CVE-2026-45879, CVE-2026-45880,
CVE-2026-45881, CVE-2026-45882, CVE-2026-45883, CVE-2026-45884,
CVE-2026-45885, CVE-2026-45886, CVE-2026-45890, CVE-2026-45891,
CVE-2026-45893, CVE-2026-45895, CVE-2026-45902, CVE-2026-45904,
CVE-2026-45905, CVE-2026-45910, CVE-2026-45912, CVE-2026-45913,
CVE-2026-45914, CVE-2026-45915, CVE-2026-45916, CVE-2026-45917,
CVE-2026-45919, CVE-2026-45921, CVE-2026-45923, CVE-2026-45928,
CVE-2026-45935, CVE-2026-45936, CVE-2026-45938, CVE-2026-45941,
CVE-2026-45946, CVE-2026-45947, CVE-2026-45948, CVE-2026-45954,
CVE-2026-45957, CVE-2026-45960, CVE-2026-45962, CVE-2026-45964,
CVE-2026-45965, CVE-2026-45968, CVE-2026-45969, CVE-2026-45970,
CVE-2026-45972, CVE-2026-45973, CVE-2026-45974, CVE-2026-45976,
CVE-2026-45978, CVE-2026-45981, CVE-2026-45982, CVE-2026-45983,
CVE-2026-45984, CVE-2026-45988, CVE-2026-46043, CVE-2026-46115,
CVE-2026-46119, CVE-2026-46135, CVE-2026-46185, CVE-2026-46195,
CVE-2026-46243, CVE-2026-46244, CVE-2026-46246, CVE-2026-46247,
CVE-2026-46249, CVE-2026-46250, CVE-2026-46251, CVE-2026-46253,
CVE-2026-46254, CVE-2026-46255, CVE-2026-46259, CVE-2026-46260,
CVE-2026-46261, CVE-2026-46265, CVE-2026-46266, CVE-2026-46267,
CVE-2026-46270, CVE-2026-46289, CVE-2026-46328)
</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8492-4</guid><pubDate>Thu, 09 Jul 2026 08:10:03 +0000</pubDate></item><item><title>USN-8490-2: Linux kernel (Raspberry Pi) vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8490-2</link><description>Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
  - ARM64 architecture;
  - Block layer subsystem;
  - Cryptographic API;
  - DMA engine subsystem;
  - InfiniBand drivers;
  - STMicroelectronics network drivers;
  - Network drivers;
  - NVME drivers;
  - SCSI subsystem;
  - USB over IP driver;
  - File systems infrastructure;
  - Ext4 file system;
  - Network file system (NFS) server daemon;
  - SMB network file system;
  - Kernel thread helper (kthread);
  - IPv6 networking;
  - Tracing infrastructure;
  - Kernel exit() syscall;
  - Scatterlist API;
  - B.A.T.M.A.N. meshing protocol;
  - Ethernet bridge;
  - Ceph Core library;
  - IPv4 networking;
  - Multipath TCP;
  - Netfilter;
  - RxRPC session sockets;
  - SMC sockets;
  - X.25 network layer;
(CVE-2026-22984, CVE-2026-23272, CVE-2026-23278, CVE-2026-23392,
CVE-2026-23427, CVE-2026-23428, CVE-2026-23450, CVE-2026-23455,
CVE-2026-31402, CVE-2026-31418, CVE-2026-31436, CVE-2026-31448,
CVE-2026-31478, CVE-2026-31607, CVE-2026-31635, CVE-2026-31637,
CVE-2026-31649, CVE-2026-31657, CVE-2026-31659, CVE-2026-31668,
CVE-2026-31669, CVE-2026-31682, CVE-2026-31685, CVE-2026-31718,
CVE-2026-43011, CVE-2026-43037, CVE-2026-43038, CVE-2026-43071,
CVE-2026-43083, CVE-2026-43114, CVE-2026-43117, CVE-2026-43125,
CVE-2026-43186, CVE-2026-43197, CVE-2026-43304, CVE-2026-43341,
CVE-2026-43376, CVE-2026-43378, CVE-2026-43383, CVE-2026-43384,
CVE-2026-43402, CVE-2026-43406, CVE-2026-43407, CVE-2026-43414,
CVE-2026-43493, CVE-2026-43501, CVE-2026-45898, CVE-2026-45988,
CVE-2026-46039, CVE-2026-46043, CVE-2026-46115, CVE-2026-46119,
CVE-2026-46135, CVE-2026-46185, CVE-2026-46195, CVE-2026-46243,
CVE-2026-46244, CVE-2026-46266, CVE-2026-46289, CVE-2026-46316,
CVE-2026-46325)
</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8490-2</guid><pubDate>Thu, 09 Jul 2026 07:55:55 +0000</pubDate></item><item><title>USN-8518-1: mailcap vulnerability</title><link>https://ubuntu.com/security/notices/USN-8518-1</link><description>Aaron Rainbolt discovered that the cautious-launcher utility in the
mailcap package did not properly restrict the execution of certain
file types. An attacker could use this issue to escape a sandboxed
application and execute arbitrary code on the host operating system.</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8518-1</guid><pubDate>Wed, 08 Jul 2026 17:15:41 +0000</pubDate></item><item><title>USN-8517-1: ClamAV vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8517-1</link><description>It was discovered that ClamAV incorrectly handled certain PE files. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2026-20213, CVE-2026-20214,
CVE-2026-20217)

It was discovered that ClamAV incorrectly handled certain 7z archive
files. A remote attacker could possibly use this issue to cause ClamAV to
crash, resulting in a denial of service. (CVE-2026-20215)

It was discovered that ClamAV incorrectly handled extraction limits for
certain InstallShield archives. A remote attacker could possibly use this
issue to cause ClamAV to use excessive resources, leading to a denial of
service. (CVE-2026-20216)

It was discovered that ClamAV incorrectly handled certain ALZ archive
files. A remote attacker could possibly use this issue to cause ClamAV to
crash, resulting in a denial of service. (CVE-2026-20243)

It was discovered that ClamAV incorrectly handled certain DMG files. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2026-20244)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8517-1</guid><pubDate>Wed, 08 Jul 2026 14:07:06 +0000</pubDate></item><item><title>USN-8516-1: Apache HTTP Server vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8516-1</link><description>It was discovered that Apache HTTP Server's mod_ldap module incorrectly
handled memory when processing per-directory configurations. An attacker
could use this issue to cause the server to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2026-29167)

It was discovered that Apache HTTP Server's mod_proxy_ftp module
incorrectly handled HTML generation for FTP directory listings. A remote
attacker could possibly use this issue to inject arbitrary web script or
HTML. (CVE-2026-29170)

It was discovered that Apache HTTP Server's mod_proxy_html module
incorrectly handled certain content from an untrusted backend. A remote
attacker could possibly use this issue to cause Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2026-34355)

It was discovered that Apache HTTP Server incorrectly handled
ProxyPassReverseCookie directives with a malicious backend server. A remote
attacker could possibly use this issue to cause Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2026-34356)

It was discovered that Apache HTTP Server's mod_dav_fs module incorrectly
handled certain path operations. An authenticated user could possibly use
this issue to manipulate trusted WebDAV property databases or cause a
denial of service. (CVE-2026-42535)

It was discovered that Apache HTTP Server's mod_xml2enc module incorrectly
handled certain content from an untrusted backend. A remote attacker could
possibly use this issue to cause Apache HTTP Server to crash, resulting in
a denial of service. (CVE-2026-42536)

It was discovered that Apache HTTP Server incorrectly handled response
headers when multiple content languages were configured. A remote attacker
could possibly use this issue to obtain sensitive information.
(CVE-2026-43951)

It was discovered that Apache HTTP Server incorrectly restricted certain
file functions in expressions within .htaccess files. A local attacker with
.htaccess write access could possibly use this issue to obtain sensitive
information. (CVE-2026-44119)

It was discovered that Apache HTTP Server's mod_ssl module incorrectly
handled OCSP responses from an attacker-controlled server. A remote
attacker could possibly use this issue to obtain sensitive information or
cause a denial of service. (CVE-2026-44185)

It was discovered that Apache HTTP Server's mod_proxy_ftp module
incorrectly handled responses from an attacker-controlled backend FTP
server. A remote attacker could possibly use this issue to cause Apache
HTTP Server to stop responding, resulting in a denial of service.
(CVE-2026-44186)

It was discovered that Apache HTTP Server incorrectly handled crafted
regular expressions in the server configuration. An attacker could possibly
use this issue to execute arbitrary code or cause a denial of service.
(CVE-2026-44631)

It was discovered that Apache HTTP Server's mod_http2 module had a
use-after-free vulnerability when file handles were exhausted. A remote
attacker could possibly use this issue to cause Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2026-48913)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8516-1</guid><pubDate>Wed, 08 Jul 2026 13:49:49 +0000</pubDate></item><item><title>USN-8515-1: Addressable vulnerability</title><link>https://ubuntu.com/security/notices/USN-8515-1</link><description>It was discovered that Addressable incorrectly handled certain URI
templates, generating regular expressions vulnerable to catastrophic
backtracking. An attacker could use this issue to craft a URI that, when matched
against a vulnerable template, causes excessive resource consumption,
leading to a denial of service.</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8515-1</guid><pubDate>Tue, 07 Jul 2026 10:46:24 +0000</pubDate></item></channel></rss>