Ubuntu Security Notices

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: – ARM64 architecture; – RISC-V architecture; – x86 architecture; – Buffer Sharing and Synchronization framework; – DMA engine subsystem; – GPU drivers; – HID subsystem; – IIO ADC drivers; – IIO subsystem; – InfiniBand drivers; – Input Device core drivers; – Network drivers; – Mellanox network drivers; – PHY drivers; – Voltage and Current Regulator drivers; – VideoCore services drivers; – USB Type-C Connector System Software Interface driver; – Xen hypervisor drivers; – EROFS file system; – Network file system (NFS) client; – File systems infrastructure; – SMB network file system; – Network traffic control; – io_uring subsystem; – Kernel command line parsing driver; – Scheduler infrastructure; – Memory management; – Networking core; – MAC80211 subsystem; – Management Component Transport Protocol (MCTP); – Netfilter; – Open vSwitch; – TLS protocol; – Wireless networking; – SOF drivers; (CVE-2025-38011, CVE-2025-38095, CVE-2025-37967, CVE-2025-38012, CVE-2025-38019, CVE-2025-37960, CVE-2025-37973, CVE-2025-37958, CVE-2025-38094, CVE-2025-37963, CVE-2025-37955, CVE-2025-38014, CVE-2025-38025, CVE-2025-37970, CVE-2025-37947, CVE-2025-37966, CVE-2025-37948, CVE-2025-38013, CVE-2025-37957, CVE-2025-38028, CVE-2025-37962, CVE-2025-38002, CVE-2025-37996, CVE-2025-37992, CVE-2025-37969, CVE-2025-38009, CVE-2025-38027, CVE-2025-38020, CVE-2025-38023, CVE-2025-38008, CVE-2025-38015, CVE-2025-37954, CVE-2025-38007, CVE-2025-38005, CVE-2025-37956, CVE-2025-37965, CVE-2025-37972, CVE-2025-38006, CVE-2025-37971, CVE-2025-38056, CVE-2025-37968, CVE-2025-38024, CVE-2025-37951, CVE-2025-38016, CVE-2025-38022, CVE-2025-37964, CVE-2025-37994, CVE-2025-37952, CVE-2025-37998, CVE-2025-37993, CVE-2025-38018, CVE-2025-38010, CVE-2025-37995, CVE-2025-38021, CVE-2025-37999, CVE-2025-37961, CVE-2025-37959, CVE-2025-37950, CVE-2025-37949)

In the Linux kernel, the following vulnerability has been resolved: bfq: fix use-after-free in bfq_dispatch_request KASAN reports a use-after-free report when doing normal scsi-mq test . In the Linux kernel, the following vulnerability has been resolved: block, bfq: don’t move oom_bfqq Our test report a UAF: . In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() When l2cap_recv_frame() is invoked to receive data, and the cid is L2CAP_CID_A2MP, if the channel does not exist, it will create a channel. However, after a channel is created, the hold operation of the channel is not performed. In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the Linux kernel, the following vulnerability has been resolved: ext4: aovid use-after-free in ext4_ext_insert_extent() As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is reallocated in ext4_ext_create_new_leaf(), we’ll use the stale path and cause UAF. Below is a sample trace with dummy values: ext4_ext_insert_extent path . In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem.

It was discovered that OpenLDAP incorrectly handled Certificate Exact Assertion processing. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service. (CVE-2020-36221) It was discovered that OpenLDAP incorrectly handled saslAuthzTo processing. A remote attacker could use this issue to cause OpenLDAP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-36222, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226) It was discovered that OpenLDAP incorrectly handled Return Filter control handling. A remote attacker could use this issue to cause OpenLDAP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-36223) It was discovered that OpenLDAP incorrectly handled certain cancel operations. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service. (CVE-2020-36227) It was discovered that OpenLDAP incorrectly handled Certificate List Extract Assertion processing. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service. (CVE-2020-36228)

Rajesh Pangare discovered that AIDE incorrectly handled filenames. A local attacker could possibly use this issue to bypass the detection of malicious files. (CVE-2025-54389) Rajesh Pangare discovered that AIDE incorrectly handled extended file attributes. A local attacker could possibly use this issue to cause a denial of service. (CVE-2025-54409)

Anas Roubi discovered that Sidekiq did not correctly sanitize certain inputs. An attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-30151) It was discovered that Sidekiq did not correctly bound certain inputs. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-23837)

Nathanael Braun and Johan Brissaud discovered that qs was vulnerable to prototype pollution. A remote attacker could possibly use this issue to cause a denial of service.

It was discovered that Request Tracker was susceptible to timing attacks. An attacker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 22.04 LTS. (CVE-2021-38562) It was discovered that Request Tracker was susceptible to cross-site scripting attacks when malicious attachments were supplied. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-25802) It was discovered that Request Tracker would incorrectly redirect users in certain instances. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-25803) Tom Wolters discovered that Request Tracker could leak information when malicious email headers were supplied. An attacker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-41259, CVE-2023-41260) It was discovered that Request Tracker could leak information through its transaction search. An attacker with access to the transaction query builder of Request Tracker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-45024) It was discovered that Request Tracker erroneously stored ticket information in a web browser’s cache. An attacker with direct access to a system could possibly use this issue to access sensitive information. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-3262) It was discovered that Request Tracker made use of an obsolete cryptographic algorithm for emails sent with S/MIME encryption. An attacker could possibly use this issue to access sensitive information. (CVE-2025-2545) It was discovered that Request Tracker was susceptible to cross-site scripting attacks when malicious parameters were included in a search URL. An attacker could possibly use this issue to execute arbitrary code. (CVE-2025-30087) It was discovered that Request Tracker was susceptible to cross-site scripting attacks when malicious permalinks or assets were provided. An attacker could possibly use this issue to execute arbitrary code. (CVE-2025-31500, CVE-2025-31501)

USN-6885-1 fixed vulnerabilities in Apache. The patch for CVE-2024-38474 was incomplete and caused a regression. This update provides the fix for this issue. Original advisory details: Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to handle unsafe substitutions. (CVE-2024-38474)

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.43 in Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. Ubuntu 25.04 has been updated to MySQL 8.4.6. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-43.html https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-6.html https://www.oracle.com/security-alerts/cpujul2025.html

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: – Device tree and open firmware driver; – SCSI subsystem; – TTY drivers; – Ext4 file system; – SMB network file system; – Bluetooth subsystem; – Network traffic control; – Sun RPC protocol; – USB sound devices; (CVE-2025-37797, CVE-2024-49950, CVE-2024-56748, CVE-2023-52975, CVE-2024-50073, CVE-2023-52885, CVE-2023-52757, CVE-2024-38541, CVE-2024-53239, CVE-2024-49883)