{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.8.0-90-generic", "linux-modules-6.8.0-90-generic" ], "removed": [ "linux-image-6.8.0-87-generic", "linux-modules-6.8.0-87-generic" ], "diff": [ "apparmor", "bsdutils", "dhcpcd-base", "fdisk", "gir1.2-glib-2.0", "libapparmor1", "libblkid1", "libfdisk1", "libglib2.0-0t64", "libmount1", "libnetplan1", "libpam-systemd", "libpng16-16t64", "libpython3.12-minimal", "libpython3.12-stdlib", "libsmartcols1", "libsystemd-shared", "libsystemd0", "libudev1", "libuuid1", "linux-image-virtual", "mount", "netplan-generator", "netplan.io", "python-apt-common", "python3-apt", "python3-netplan", "python3-urllib3", "python3.12", "python3.12-minimal", "systemd", "systemd-dev", "systemd-resolved", "systemd-sysv", "systemd-timesyncd", "ubuntu-drivers-common", "ubuntu-pro-client", "udev", "util-linux" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "4.0.1really4.0.1-0ubuntu0.24.04.4", "version": "4.0.1really4.0.1-0ubuntu0.24.04.4" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "4.0.1really4.0.1-0ubuntu0.24.04.5", "version": "4.0.1really4.0.1-0ubuntu0.24.04.5" }, "cves": [], "launchpad_bugs_fixed": [ 2115234 ], "changes": [ { "cves": [], "log": [ "", " * profiles: make /sys/devices PCI paths hex-aware (LP: #2115234)", "" ], "package": "apparmor", "version": "4.0.1really4.0.1-0ubuntu0.24.04.5", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2115234 ], "author": "Keifer Snedeker ", "date": "Fri, 15 Aug 2025 13:16:02 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "bsdutils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "1:2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "1:2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "dhcpcd-base", "from_version": { "source_package_name": "dhcpcd", "source_package_version": "1:10.0.6-1ubuntu3.1", "version": "1:10.0.6-1ubuntu3.1" }, "to_version": { "source_package_name": "dhcpcd", "source_package_version": "1:10.0.6-1ubuntu3.2", "version": "1:10.0.6-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2131252 ], "changes": [ { "cves": [], "log": [ "", " * Fix intermittent dumplease failures when parsing stdin (LP: #2131252)", " - d/p/lp2131252-0-Force-dumplease-to-parse-stdin.patch", " - d/p/lp2131252-1-Improve-and-document-prior.patch", "" ], "package": "dhcpcd", "version": "1:10.0.6-1ubuntu3.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2131252 ], "author": "Bryan Fraschetti ", "date": "Thu, 13 Nov 2025 12:47:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "fdisk", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-glib-2.0", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.4", "version": "2.80.0-6ubuntu3.4" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.5", "version": "2.80.0-6ubuntu3.5" }, "cves": [], "launchpad_bugs_fixed": [ 2119581 ], "changes": [ { "cves": [], "log": [ "", " * debian: Update VCS references to ubuntu/noble branch", " * debian/patches: Fix a crash on arg0 matching.", " This is causing a crash in tracker if the battery charging state changes", " while tracker is indexing files, as tracker-extract-3 will try to emit", " property changes with a NULL arg0. (LP: #2119581)", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.5", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2119581 ], "author": "Marco Trevisan (Treviño) ", "date": "Tue, 04 Nov 2025 16:05:02 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapparmor1", "from_version": { "source_package_name": "apparmor", "source_package_version": "4.0.1really4.0.1-0ubuntu0.24.04.4", "version": "4.0.1really4.0.1-0ubuntu0.24.04.4" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "4.0.1really4.0.1-0ubuntu0.24.04.5", "version": "4.0.1really4.0.1-0ubuntu0.24.04.5" }, "cves": [], "launchpad_bugs_fixed": [ 2115234 ], "changes": [ { "cves": [], "log": [ "", " * profiles: make /sys/devices PCI paths hex-aware (LP: #2115234)", "" ], "package": "apparmor", "version": "4.0.1really4.0.1-0ubuntu0.24.04.5", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2115234 ], "author": "Keifer Snedeker ", "date": "Fri, 15 Aug 2025 13:16:02 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libblkid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfdisk1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-0t64", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.4", "version": "2.80.0-6ubuntu3.4" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.5", "version": "2.80.0-6ubuntu3.5" }, "cves": [], "launchpad_bugs_fixed": [ 2119581 ], "changes": [ { "cves": [], "log": [ "", " * debian: Update VCS references to ubuntu/noble branch", " * debian/patches: Fix a crash on arg0 matching.", " This is causing a crash in tracker if the battery charging state changes", " while tracker is indexing files, as tracker-extract-3 will try to emit", " property changes with a NULL arg0. (LP: #2119581)", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.5", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2119581 ], "author": "Marco Trevisan (Treviño) ", "date": "Tue, 04 Nov 2025 16:05:02 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmount1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan1", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.2", "version": "1.1.2-2~ubuntu24.04.2" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~24.04.1", "version": "1.1.2-8ubuntu1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127195 ], "changes": [ { "cves": [], "log": [ "", " * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)", " - Allows non standard OVS setups (e.g. OVS from snap)", " - Test improvements, especially for slower architectures such as riscv64", " - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies", " - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and", " suggests systemd-resolved", " * SRU compatibility", " - d/gbp.conf: Update for Noble", " - d/libnetplan1.symbols: keep it at the original version", " - d/p/series: Keep d/p/sru-compat/* patches", " - d/p/series: Drop wait-online-dns* which is incompatible with systemd v255", " + d/control: Keep systemd dependency at v248", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2127195 ], "author": "Lukas Märdian ", "date": "Tue, 25 Nov 2025 12:45:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16t64", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.43-5build1", "version": "1.6.43-5build1" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.43-5ubuntu0.1", "version": "1.6.43-5ubuntu0.1" }, "cves": [ { "cve": "CVE-2025-64505", "url": "https://ubuntu.com/security/CVE-2025-64505", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64506", "url": "https://ubuntu.com/security/CVE-2025-64506", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64720", "url": "https://ubuntu.com/security/CVE-2025-64720", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-65018", "url": "https://ubuntu.com/security/CVE-2025-65018", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-64505", "url": "https://ubuntu.com/security/CVE-2025-64505", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64506", "url": "https://ubuntu.com/security/CVE-2025-64506", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64720", "url": "https://ubuntu.com/security/CVE-2025-64720", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-65018", "url": "https://ubuntu.com/security/CVE-2025-65018", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow issue", " - debian/patches/CVE-2025-64505.patch: Fix a buffer overflow in", " png_do_quantize", " - debian/patches/CVE-2025-64506.patch: Fix a heap buffer overflow in", " png_write_image_8bit", " - debian/patches/CVE-2025-64720.patch: Fix a buffer overflow in", " png_init_read_transformations", " - debian/patches/CVE-2025-65018.patch: Fix a heap buffer overflow in", " png_image_finish_read", " - CVE-2025-64505", " - CVE-2025-64506", " - CVE-2025-64720", " - CVE-2025-65018", "" ], "package": "libpng1.6", "version": "1.6.43-5ubuntu0.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Tue, 09 Dec 2025 17:36:48 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.8", "version": "3.12.3-1ubuntu0.8" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Possible payload obfuscation", " - debian/patches/CVE-2025-8291.patch: check consistency of", " the zip64 end of central dir record in Lib/zipfile.py,", " Lib/test/test_zipfile.py.", " - CVE-2025-8291", " * SECURITY UPDATE: Performance degradation", " - debian/patches/CVE-2025-6075.patch: fix quadratic complexity", " in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,", " Lib/test/test_genericpatch.py, Lib/test/test_npath.py.", " - CVE-2025-6075", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.9", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Thu, 06 Nov 2025 10:44:16 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-stdlib", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.8", "version": "3.12.3-1ubuntu0.8" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Possible payload obfuscation", " - debian/patches/CVE-2025-8291.patch: check consistency of", " the zip64 end of central dir record in Lib/zipfile.py,", " Lib/test/test_zipfile.py.", " - CVE-2025-8291", " * SECURITY UPDATE: Performance degradation", " - debian/patches/CVE-2025-6075.patch: fix quadratic complexity", " in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,", " Lib/test/test_genericpatch.py, Lib/test/test_npath.py.", " - CVE-2025-6075", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.9", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Thu, 06 Nov 2025 10:44:16 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsmartcols1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libuuid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-87.88", "version": "6.8.0-87.88" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "cves": [], "launchpad_bugs_fixed": [ 2128721 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-90.91", "" ], "package": "linux-meta", "version": "6.8.0-90.91", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 18 Nov 2025 12:45:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-89.90", "", " * missing transitionals for intel-iotg kernels (LP: #2128721)", " - [Packaging] Transition intel-iotg to hwe-24.04", "" ], "package": "linux-meta", "version": "6.8.0-89.90", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2128721 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:07:55 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-88.89", "" ], "package": "linux-meta", "version": "6.8.0-88.89", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Sat, 11 Oct 2025 01:39:50 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "mount", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.2", "version": "1.1.2-2~ubuntu24.04.2" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~24.04.1", "version": "1.1.2-8ubuntu1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127195 ], "changes": [ { "cves": [], "log": [ "", " * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)", " - Allows non standard OVS setups (e.g. OVS from snap)", " - Test improvements, especially for slower architectures such as riscv64", " - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies", " - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and", " suggests systemd-resolved", " * SRU compatibility", " - d/gbp.conf: Update for Noble", " - d/libnetplan1.symbols: keep it at the original version", " - d/p/series: Keep d/p/sru-compat/* patches", " - d/p/series: Drop wait-online-dns* which is incompatible with systemd v255", " + d/control: Keep systemd dependency at v248", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2127195 ], "author": "Lukas Märdian ", "date": "Tue, 25 Nov 2025 12:45:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.2", "version": "1.1.2-2~ubuntu24.04.2" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~24.04.1", "version": "1.1.2-8ubuntu1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127195 ], "changes": [ { "cves": [], "log": [ "", " * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)", " - Allows non standard OVS setups (e.g. OVS from snap)", " - Test improvements, especially for slower architectures such as riscv64", " - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies", " - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and", " suggests systemd-resolved", " * SRU compatibility", " - d/gbp.conf: Update for Noble", " - d/libnetplan1.symbols: keep it at the original version", " - d/p/series: Keep d/p/sru-compat/* patches", " - d/p/series: Drop wait-online-dns* which is incompatible with systemd v255", " + d/control: Keep systemd dependency at v248", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2127195 ], "author": "Lukas Märdian ", "date": "Tue, 25 Nov 2025 12:45:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python-apt-common", "from_version": { "source_package_name": "python-apt", "source_package_version": "2.7.7ubuntu5", "version": "2.7.7ubuntu5" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "2.7.7ubuntu5.1", "version": "2.7.7ubuntu5.1" }, "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2091865 ], "changes": [ { "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference (LP: #2091865)", " - python/tag.cc: check for NULL pointer before dereferencing", " - CVE-2025-6966", "" ], "package": "python-apt", "version": "2.7.7ubuntu5.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2091865 ], "author": "Sudhakar Verma ", "date": "Fri, 05 Dec 2025 22:45:54 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apt", "from_version": { "source_package_name": "python-apt", "source_package_version": "2.7.7ubuntu5", "version": "2.7.7ubuntu5" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "2.7.7ubuntu5.1", "version": "2.7.7ubuntu5.1" }, "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2091865 ], "changes": [ { "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference (LP: #2091865)", " - python/tag.cc: check for NULL pointer before dereferencing", " - CVE-2025-6966", "" ], "package": "python-apt", "version": "2.7.7ubuntu5.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2091865 ], "author": "Sudhakar Verma ", "date": "Fri, 05 Dec 2025 22:45:54 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.2", "version": "1.1.2-2~ubuntu24.04.2" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~24.04.1", "version": "1.1.2-8ubuntu1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127195 ], "changes": [ { "cves": [], "log": [ "", " * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)", " - Allows non standard OVS setups (e.g. OVS from snap)", " - Test improvements, especially for slower architectures such as riscv64", " - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies", " - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and", " suggests systemd-resolved", " * SRU compatibility", " - d/gbp.conf: Update for Noble", " - d/libnetplan1.symbols: keep it at the original version", " - d/p/series: Keep d/p/sru-compat/* patches", " - d/p/series: Drop wait-online-dns* which is incompatible with systemd v255", " + d/control: Keep systemd dependency at v248", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2127195 ], "author": "Lukas Märdian ", "date": "Tue, 25 Nov 2025 12:45:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.2", "version": "2.0.7-1ubuntu0.2" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.3", "version": "2.0.7-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" }, { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" }, { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of service due to unbounded decompression chain.", " - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and", " checks in src/urllib3/response.py. Add test in test/test_response.py.", " - CVE-2025-66418", " * SECURITY UPDATE: Denial of service due to decompression bomb.", " - debian/patches/CVE-2025-66471.patch: Fix decompression bomb in", " src/urllib3/response.py. Add tests in test/test_response.py.", " - debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning", " due to intrusive backport for brotli fixes and upstream version warning", " not being appropriate for distro backporting.", " - CVE-2025-66471", "" ], "package": "python-urllib3", "version": "2.0.7-1ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 10 Dec 2025 15:56:11 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.8", "version": "3.12.3-1ubuntu0.8" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Possible payload obfuscation", " - debian/patches/CVE-2025-8291.patch: check consistency of", " the zip64 end of central dir record in Lib/zipfile.py,", " Lib/test/test_zipfile.py.", " - CVE-2025-8291", " * SECURITY UPDATE: Performance degradation", " - debian/patches/CVE-2025-6075.patch: fix quadratic complexity", " in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,", " Lib/test/test_genericpatch.py, Lib/test/test_npath.py.", " - CVE-2025-6075", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.9", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Thu, 06 Nov 2025 10:44:16 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.8", "version": "3.12.3-1ubuntu0.8" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Possible payload obfuscation", " - debian/patches/CVE-2025-8291.patch: check consistency of", " the zip64 end of central dir record in Lib/zipfile.py,", " Lib/test/test_zipfile.py.", " - CVE-2025-8291", " * SECURITY UPDATE: Performance degradation", " - debian/patches/CVE-2025-6075.patch: fix quadratic complexity", " in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,", " Lib/test/test_genericpatch.py, Lib/test/test_npath.py.", " - CVE-2025-6075", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.9", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Thu, 06 Nov 2025 10:44:16 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-dev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-drivers-common", "from_version": { "source_package_name": "ubuntu-drivers-common", "source_package_version": "1:0.9.7.6ubuntu3.4", "version": "1:0.9.7.6ubuntu3.4" }, "to_version": { "source_package_name": "ubuntu-drivers-common", "source_package_version": "1:0.9.7.6ubuntu3.5", "version": "1:0.9.7.6ubuntu3.5" }, "cves": [], "launchpad_bugs_fixed": [ 2125156 ], "changes": [ { "cves": [], "log": [ "", " [ Mitchell Augustin ]", " * Prevent coinstallation of conflicting Nvidia Drivers (LP: #2125156)", "", " [ Nick Rosbrook ]", " * debian/source/options: ignore .git to prevent git artifacts in upload", "" ], "package": "ubuntu-drivers-common", "version": "1:0.9.7.6ubuntu3.5", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125156 ], "author": "Mitchell Augustin ", "date": "Fri, 03 Oct 2025 16:26:02 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "36ubuntu0~24.04", "version": "36ubuntu0~24.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "37.1ubuntu0~24.04", "version": "37.1ubuntu0~24.04" }, "cves": [], "launchpad_bugs_fixed": [ 2129712, 2129712, 2123870, 2125453, 2107604 ], "changes": [ { "cves": [], "log": [ "", " * Backport 37.1ubuntu0 to noble (LP: #2129712)", "" ], "package": "ubuntu-advantage-tools", "version": "37.1ubuntu0~24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2129712 ], "author": "Renan Rodrigo ", "date": "Mon, 27 Oct 2025 09:42:14 -0300" }, { "cves": [], "log": [ "", " * do-release-upgrade: immediately release the APT lock acquired to run the", " post-upgrade hook (LP: #2129712)", "" ], "package": "ubuntu-advantage-tools", "version": "37.1ubuntu0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2129712 ], "author": "Renan Rodrigo ", "date": "Thu, 23 Oct 2025 16:30:36 -0300" }, { "cves": [], "log": [ "", " * d/apparmor/ubuntu_pro_[apt_news|esm_cache].jinja2: update coreutils path", " Thanks to Georgia Garcia (LP: #2123870)", " * New upstream release 37: (LP: #2125453)", " - attach: don't show a notice if attaching a one-time token set for a", " future release (GH: #3485)", " - enable: add the --auto option to enable all default services based on", " the contract", " - entitlements:", " + add esm-infra-legacy support", " + add esm-apps-legacy support", " - fips: show correct kernel versions when downgrading on clouds (GH: #3488)", " - upgrade-lts-contract: (LP: #2107604)", " + remove implicit dependency on lsof", " + fix the logic to hold the apt lock while performing operations", "" ], "package": "ubuntu-advantage-tools", "version": "37ubuntu0", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2123870, 2125453, 2107604 ], "author": "Renan Rodrigo ", "date": "Mon, 22 Sep 2025 21:51:46 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.8.0-90-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-87.88", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-90.91", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-90.91", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Tue, 18 Nov 2025 12:46:03 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-89.90", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-89.90", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:08:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-88.89", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-88.89", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Sat, 11 Oct 2025 01:40:10 +0200" } ], "notes": "linux-image-6.8.0-90-generic version '6.8.0-90.91' (source package linux-signed version '6.8.0-90.91') was added. linux-image-6.8.0-90-generic version '6.8.0-90.91' has the same source package name, linux-signed, as removed package linux-image-6.8.0-87-generic. As such we can use the source package version of the removed package, '6.8.0-87.88', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-90-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-87.88", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" }, { "cve": "CVE-2025-21729", "url": "https://ubuntu.com/security/CVE-2025-21729", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion unset the flag and calls ieee80211_scan_completed() that will free local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-38227", "url": "https://ubuntu.com/security/CVE-2025-38227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited. [1] BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059 CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xd9/0x110 mm/kasan/report.c:634 vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_table.c:464 task_work_run+0x14e/0x250 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 __do_sys_exit_group kernel/exit.c:1098 [inline] __se_sys_exit_group kernel/exit.c:1096 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 Allocated by task 6059: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_tabl ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-04 14:15:00 UTC" }, { "cve": "CVE-2025-38678", "url": "https://ubuntu.com/security/CVE-2025-38678", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject duplicate device on updates A chain/flowtable update with duplicated devices in the same batch is possible. Unfortunately, netdev event path only removes the first device that is found, leaving unregistered the hook of the duplicated device. Check if a duplicated device exists in the transaction batch, bail out with EEXIST in such case. WARNING is hit when unregistering the hook: [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) [...] [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150", "cve_priority": "medium", "cve_public_date": "2025-09-03 13:15:00 UTC" }, { "cve": "CVE-2025-38616", "url": "https://ubuntu.com/security/CVE-2025-38616", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place.", "cve_priority": "medium", "cve_public_date": "2025-08-22 14:15:00 UTC" }, { "cve": "CVE-2025-37838", "url": "https://ubuntu.com/security/CVE-2025-37838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().", "cve_priority": "medium", "cve_public_date": "2025-04-18 15:15:00 UTC" }, { "cve": "CVE-2025-40300", "url": "https://ubuntu.com/security/CVE-2025-40300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]", "cve_priority": "high", "cve_public_date": "2025-09-11 17:15:00 UTC" }, { "cve": "CVE-2025-38352", "url": "https://ubuntu.com/security/CVE-2025-38352", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.", "cve_priority": "high", "cve_public_date": "2025-07-22 08:15:00 UTC" }, { "cve": "CVE-2025-38118", "url": "https://ubuntu.com/security/CVE-2025-38118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "high", "cve_public_date": "2025-07-03 09:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2131785, 2131213, 2131481, 2130212, 2130552, 2127619, 2121337, 2112469, 2123901, 2126659, 2126698, 2123815, 2125444, 2103680, 2125053, 2122592, 2122006, 2124105, 2124105 ], "changes": [ { "cves": [], "log": [ "", " * noble/linux: 6.8.0-90.91 -proposed tracker (LP: #2131785)", "", " * cifs: Fix memory leak of a folio every call to cifs_writepages_begin()", " (LP: #2131213)", " - cifs: fix pagecache leak when do writepages", "" ], "package": "linux", "version": "6.8.0-90.91", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2131785, 2131213 ], "author": "Manuel Diewald ", "date": "Tue, 18 Nov 2025 12:26:33 +0100" }, { "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-89.90 -proposed tracker (LP: #2131481)", "", " * CVE-2025-39993", " - media: rc: fix races with imon_disconnect()", "", " * Audio output fails on internal speakers when using kernel 6.8.0-84 and", " newer. (LP: #2130212)", " - Revert \"ASoC: cs35l56: Prevent races when soft-resetting using SPI", " control\"", "", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", "", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "", " * CVE-2025-39964", " - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg", " - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx", "", " * CVE-2025-37958", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", "", " * CVE-2025-38666", " - net: appletalk: Fix use-after-free in AARP proxy probe", "" ], "package": "linux", "version": "6.8.0-89.90", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2131481, 2130212, 2130552 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 17:51:25 +0100" }, { "cves": [ { "cve": "CVE-2025-21729", "url": "https://ubuntu.com/security/CVE-2025-21729", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion unset the flag and calls ieee80211_scan_completed() that will free local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-38227", "url": "https://ubuntu.com/security/CVE-2025-38227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited. [1] BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059 CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xd9/0x110 mm/kasan/report.c:634 vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_table.c:464 task_work_run+0x14e/0x250 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 __do_sys_exit_group kernel/exit.c:1098 [inline] __se_sys_exit_group kernel/exit.c:1096 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 Allocated by task 6059: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_tabl ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-04 14:15:00 UTC" }, { "cve": "CVE-2025-38678", "url": "https://ubuntu.com/security/CVE-2025-38678", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject duplicate device on updates A chain/flowtable update with duplicated devices in the same batch is possible. Unfortunately, netdev event path only removes the first device that is found, leaving unregistered the hook of the duplicated device. Check if a duplicated device exists in the transaction batch, bail out with EEXIST in such case. WARNING is hit when unregistering the hook: [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) [...] [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150", "cve_priority": "medium", "cve_public_date": "2025-09-03 13:15:00 UTC" }, { "cve": "CVE-2025-38616", "url": "https://ubuntu.com/security/CVE-2025-38616", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place.", "cve_priority": "medium", "cve_public_date": "2025-08-22 14:15:00 UTC" }, { "cve": "CVE-2025-37838", "url": "https://ubuntu.com/security/CVE-2025-37838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().", "cve_priority": "medium", "cve_public_date": "2025-04-18 15:15:00 UTC" }, { "cve": "CVE-2025-40300", "url": "https://ubuntu.com/security/CVE-2025-40300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]", "cve_priority": "high", "cve_public_date": "2025-09-11 17:15:00 UTC" }, { "cve": "CVE-2025-38352", "url": "https://ubuntu.com/security/CVE-2025-38352", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.", "cve_priority": "high", "cve_public_date": "2025-07-22 08:15:00 UTC" }, { "cve": "CVE-2025-38118", "url": "https://ubuntu.com/security/CVE-2025-38118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "high", "cve_public_date": "2025-07-03 09:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-88.89 -proposed tracker (LP: #2127619)", "", " * Enable Xilinx PS UART configs (LP: #2121337)", " - [Config] Enable Xilinx PS UART configs", "", " * Fix ARL-U/H suspend issues (LP: #2112469)", " - platform/x86/intel/pmc: Add Arrow Lake U/H support to intel_pmc_core", " driver", " - platform/x86/intel/pmc: Fix Arrow Lake U/H NPU PCI ID", "", " * r8169 can not wake on LAN via SFP moudule (LP: #2123901)", " - r8169: set EEE speed down ratio to 1", "", " * Add pvpanic kernel modules to linux-modules (LP: #2126659)", " - [Packaging] Add pvpanic kernel modules to linux-modules", "", " * CVE-2025-21729", " - wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion", "", " * Fix failure to build TDX module (LP: #2126698)", " - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT", "", " * Ubuntu 24.04.2: error in audit_log_object_context keep printing in the", " kernel and console (LP: #2123815)", " - SAUCE: fix: apparmor4.0.0 [26/90]: LSM stacking v39: Audit: Add record", " for multiple object contexts", "", " * ensure mptcp keepalives are honored when set (LP: #2125444)", " - mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN", "", " * System hangs when running the memory stress test (LP: #2103680)", " - mm: page_alloc: avoid kswapd thrashing due to NUMA restrictions", "", " * UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer", " dereference (LP: #2125053)", " - SAUCE: fan: vxlan: check memory allocation for map", "", " * jammy:linux-riscv-6.8 is FTBFS because of wrong include (LP: #2122592)", " - SAUCE: riscv: KVM: Remove broken include", "", " * Performance degrades rapidly when spawning more processes to run benchmark", " (LP: #2122006)", " - cpuidle: menu: Avoid discarding useful information", " - cpuidle: governors: menu: Avoid using invalid recent intervals data", "", " * CVE-2025-38227", " - media: vidtv: Terminating the subsequent process of initialization", " failure", "", " * CVE-2025-38678", " - netfilter: nf_tables: reject duplicate device on updates", "", " * CVE-2025-38616", " - tls: handle data disappearing from under the TLS ULP", "", " * CVE-2025-37838", " - HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol", " Driver Due to Race Condition", "", " * VMSCAPE CVE-2025-40300 (LP: #2124105) // CVE-2025-40300", " - Documentation/hw-vuln: Add VMSCAPE documentation", " - x86/vmscape: Enumerate VMSCAPE bug", " - x86/vmscape: Add conditional IBPB mitigation", " - x86/vmscape: Enable the mitigation", " - x86/bugs: Move cpu_bugs_smt_update() down", " - x86/vmscape: Warn when STIBP is disabled with SMT", " - x86/vmscape: Add old Intel CPUs to affected list", "", " * VMSCAPE CVE-2025-40300 (LP: #2124105)", " - [Config] Enable MITIGATION_VMSCAPE config", "", " * CVE-2025-38352", " - posix-cpu-timers: fix race between handle_posix_cpu_timers() and", " posix_cpu_timer_del()", "", " * CVE-2025-38118", " - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete", " - Bluetooth: MGMT: Fix sparse errors", "" ], "package": "linux", "version": "6.8.0-88.89", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2127619, 2121337, 2112469, 2123901, 2126659, 2126698, 2123815, 2125444, 2103680, 2125053, 2122592, 2122006, 2124105, 2124105 ], "author": "Edoardo Canepa ", "date": "Sat, 11 Oct 2025 01:38:46 +0200" } ], "notes": "linux-modules-6.8.0-90-generic version '6.8.0-90.91' (source package linux version '6.8.0-90.91') was added. linux-modules-6.8.0-90-generic version '6.8.0-90.91' has the same source package name, linux, as removed package linux-modules-6.8.0-87-generic. As such we can use the source package version of the removed package, '6.8.0-87.88', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.8.0-87-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-87.88", "version": "6.8.0-87.88" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-87-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-87.88", "version": "6.8.0-87.88" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20251113 to 20260105", "from_series": "noble", "to_series": "noble", "from_serial": "20251113", "to_serial": "20260105", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }