{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "bind9-dnsutils", "bind9-host", "bind9-libs:riscv64", "bpftool", "fwupd", "libfwupd3:riscv64", "libnetplan1:riscv64", "libnss-systemd:riscv64", "libpam-systemd:riscv64", "libsystemd-shared:riscv64", "libsystemd0:riscv64", "libudev1:riscv64", "linux-libc-dev:riscv64", "linux-perf", "linux-tools-common", "lshw", "netplan-generator", "netplan.io", "pollinate", "python3-jwt", "python3-netplan", "python3-openssl", "python3-pyasn1", "systemd", "systemd-cryptsetup", "systemd-resolved", "systemd-sysv", "tzdata", "udev" ] } }, "diff": { "deb": [ { "name": "bind9-dnsutils", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu2.1", "version": "1:9.20.11-1ubuntu2.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu2.2", "version": "1:9.20.11-1ubuntu2.2" }, "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during", " insecure delegation validation", " - debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.", " - debian/patches/CVE-2026-1519-2.patch: check iterations in", " isdelegation() in lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-3.patch: don't verify already trusted", " rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-4.patch: combine validator_log and", " marksecure in lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-5.patch: check RRset trust in", " validate_neg_rrset() in lib/dns/validator.c.", " - CVE-2026-1519", " * SECURITY UPDATE: Memory leak in code preparing DNSSEC proofs of", " non-existence", " - debian/patches/CVE-2026-3104-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3104-2.patch: fix memory leak in QPcache", " addnoqname/addclosest mechanism in lib/dns/qpcache.c,", " lib/dns/rbtdb.c.", " - CVE-2026-3104", " * SECURITY UPDATE: Authenticated query containing a TKEY record may cause", " named to terminate unexpectedly", " - debian/patches/CVE-2026-3119-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3119-2.patch: fix a bug in", " dns_tkey_processquery() in lib/dns/tkey.c.", " - CVE-2026-3119", " * SECURITY UPDATE: A stack use-after-return flaw in SIG(0) handling code", " may enable ACL bypass", " - debian/patches/CVE-2026-3591-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3591-2.patch: fix stack Use-After-Return in", " SIG(0) handling in bin/named/server.c.", " - CVE-2026-3591", "" ], "package": "bind9", "version": "1:9.20.11-1ubuntu2.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 24 Mar 2026 11:17:07 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-host", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu2.1", "version": "1:9.20.11-1ubuntu2.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu2.2", "version": "1:9.20.11-1ubuntu2.2" }, "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during", " insecure delegation validation", " - debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.", " - debian/patches/CVE-2026-1519-2.patch: check iterations in", " isdelegation() in lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-3.patch: don't verify already trusted", " rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-4.patch: combine validator_log and", " marksecure in lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-5.patch: check RRset trust in", " validate_neg_rrset() in lib/dns/validator.c.", " - CVE-2026-1519", " * SECURITY UPDATE: Memory leak in code preparing DNSSEC proofs of", " non-existence", " - debian/patches/CVE-2026-3104-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3104-2.patch: fix memory leak in QPcache", " addnoqname/addclosest mechanism in lib/dns/qpcache.c,", " lib/dns/rbtdb.c.", " - CVE-2026-3104", " * SECURITY UPDATE: Authenticated query containing a TKEY record may cause", " named to terminate unexpectedly", " - debian/patches/CVE-2026-3119-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3119-2.patch: fix a bug in", " dns_tkey_processquery() in lib/dns/tkey.c.", " - CVE-2026-3119", " * SECURITY UPDATE: A stack use-after-return flaw in SIG(0) handling code", " may enable ACL bypass", " - debian/patches/CVE-2026-3591-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3591-2.patch: fix stack Use-After-Return in", " SIG(0) handling in bin/named/server.c.", " - CVE-2026-3591", "" ], "package": "bind9", "version": "1:9.20.11-1ubuntu2.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 24 Mar 2026 11:17:07 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-libs:riscv64", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu2.1", "version": "1:9.20.11-1ubuntu2.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu2.2", "version": "1:9.20.11-1ubuntu2.2" }, "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during", " insecure delegation validation", " - debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.", " - debian/patches/CVE-2026-1519-2.patch: check iterations in", " isdelegation() in lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-3.patch: don't verify already trusted", " rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-4.patch: combine validator_log and", " marksecure in lib/dns/validator.c.", " - debian/patches/CVE-2026-1519-5.patch: check RRset trust in", " validate_neg_rrset() in lib/dns/validator.c.", " - CVE-2026-1519", " * SECURITY UPDATE: Memory leak in code preparing DNSSEC proofs of", " non-existence", " - debian/patches/CVE-2026-3104-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3104-2.patch: fix memory leak in QPcache", " addnoqname/addclosest mechanism in lib/dns/qpcache.c,", " lib/dns/rbtdb.c.", " - CVE-2026-3104", " * SECURITY UPDATE: Authenticated query containing a TKEY record may cause", " named to terminate unexpectedly", " - debian/patches/CVE-2026-3119-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3119-2.patch: fix a bug in", " dns_tkey_processquery() in lib/dns/tkey.c.", " - CVE-2026-3119", " * SECURITY UPDATE: A stack use-after-return flaw in SIG(0) handling code", " may enable ACL bypass", " - debian/patches/CVE-2026-3591-1.patch: add tests to bin/tests/*.", " - debian/patches/CVE-2026-3591-2.patch: fix stack Use-After-Return in", " SIG(0) handling in bin/named/server.c.", " - CVE-2026-3591", "" ], "package": "bind9", "version": "1:9.20.11-1ubuntu2.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 24 Mar 2026 11:17:07 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "bpftool", "from_version": { "source_package_name": "linux", "source_package_version": "6.17.0-19.19", "version": "7.7.0+6.17.0-19.19" }, "to_version": { "source_package_name": "linux", "source_package_version": "6.17.0-20.20", "version": "7.7.0+6.17.0-20.20" }, "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144297 ], "changes": [ { "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * questing/linux: 6.17.0-20.20 -proposed tracker (LP: #2144297)", "", " * CVE-2026-23074", " - net/sched: Enforce that teql can only be used as root qdisc", "", " * CVE-2026-23060", " - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN", " spec", "", " * CVE-2026-23111", " - netfilter: nf_tables: fix inverted genmask check in", " nft_map_catchall_activate()", "" ], "package": "linux", "version": "6.17.0-20.20", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2144297 ], "author": "Manuel Diewald ", "date": "Fri, 13 Mar 2026 16:27:25 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "fwupd", "from_version": { "source_package_name": "fwupd", "source_package_version": "2.0.17-6~25.10.1", "version": "2.0.17-6~25.10.1" }, "to_version": { "source_package_name": "fwupd", "source_package_version": "2.0.20-1ubuntu2~25.10.1", "version": "2.0.20-1ubuntu2~25.10.1" }, "cves": [], "launchpad_bugs_fixed": [ 2143688, 2143688, 2142298, 2139611, 2138609 ], "changes": [ { "cves": [], "log": [ "", " * Backport to questing.", " * Fixes UOD behavior on some Dell docks (LP: #2143688)", " * d/control: Drop passim b-d", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu2~25.10.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2143688 ], "author": "Mario Limonciello ", "date": "Thu, 12 Mar 2026 22:51:33 -0500" }, { "cves": [], "log": [ "", " * d/patches/dell-uod-behavior.patch: Backport from 2_0_X branch to fix", " UOD behavior for some Dell docks. (LP: #2143688)", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143688 ], "author": "Mario Limonciello ", "date": "Mon, 09 Mar 2026 11:48:10 -0500" }, { "cves": [], "log": [ "", " * Enable UMA carveout feature (LP: #2142298)", " * Merge from Debian unstable. Remaining changes:", " - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates", " require notifying snapd for preparation. However, the payload uses an", " incorrect format for composite updates. Change the format to align", " with snapd.", " - d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch: Make fwupdmgr", " verify snapd recovery key through prompt on updates affecting FDE.", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142298 ], "author": "Mario Limonciello ", "date": "Fri, 27 Feb 2026 20:24:47 -0600" }, { "cves": [], "log": [ "", " * New upstream version (2.0.20)", "" ], "package": "fwupd", "version": "2.0.20-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Thu, 26 Feb 2026 06:49:36 -0600" }, { "cves": [], "log": [ "", " * Fix snapd bad request on db updates (LP: #2139611):", " - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates", " require notifying snapd for preparation. However, the payload uses an", " incorrect format for composite updates. Change the format to align", " with snapd.", "" ], "package": "fwupd", "version": "2.0.19-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139611 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 12:12:45 +0100" }, { "cves": [], "log": [ "", " * d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch: Make fwupdmgr", " verify snapd recovery key through prompt on updates affecting FDE.", " (LP: #2138609)", "" ], "package": "fwupd", "version": "2.0.19-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138609 ], "author": "Simon Johnsson ", "date": "Thu, 22 Jan 2026 16:38:17 +0100" }, { "cves": [], "log": [ "", " * New upstream version (2.0.19)", "" ], "package": "fwupd", "version": "2.0.19-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Sat, 20 Dec 2025 22:13:58 -0600" }, { "cves": [], "log": [ "", " * New upstream version (2.0.18)", " * Drop upstream patches", "" ], "package": "fwupd", "version": "2.0.18-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Sat, 20 Dec 2025 22:06:57 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfwupd3:riscv64", "from_version": { "source_package_name": "fwupd", "source_package_version": "2.0.17-6~25.10.1", "version": "2.0.17-6~25.10.1" }, "to_version": { "source_package_name": "fwupd", "source_package_version": "2.0.20-1ubuntu2~25.10.1", "version": "2.0.20-1ubuntu2~25.10.1" }, "cves": [], "launchpad_bugs_fixed": [ 2143688, 2143688, 2142298, 2139611, 2138609 ], "changes": [ { "cves": [], "log": [ "", " * Backport to questing.", " * Fixes UOD behavior on some Dell docks (LP: #2143688)", " * d/control: Drop passim b-d", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu2~25.10.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2143688 ], "author": "Mario Limonciello ", "date": "Thu, 12 Mar 2026 22:51:33 -0500" }, { "cves": [], "log": [ "", " * d/patches/dell-uod-behavior.patch: Backport from 2_0_X branch to fix", " UOD behavior for some Dell docks. (LP: #2143688)", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143688 ], "author": "Mario Limonciello ", "date": "Mon, 09 Mar 2026 11:48:10 -0500" }, { "cves": [], "log": [ "", " * Enable UMA carveout feature (LP: #2142298)", " * Merge from Debian unstable. Remaining changes:", " - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates", " require notifying snapd for preparation. However, the payload uses an", " incorrect format for composite updates. Change the format to align", " with snapd.", " - d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch: Make fwupdmgr", " verify snapd recovery key through prompt on updates affecting FDE.", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142298 ], "author": "Mario Limonciello ", "date": "Fri, 27 Feb 2026 20:24:47 -0600" }, { "cves": [], "log": [ "", " * New upstream version (2.0.20)", "" ], "package": "fwupd", "version": "2.0.20-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Thu, 26 Feb 2026 06:49:36 -0600" }, { "cves": [], "log": [ "", " * Fix snapd bad request on db updates (LP: #2139611):", " - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates", " require notifying snapd for preparation. However, the payload uses an", " incorrect format for composite updates. Change the format to align", " with snapd.", "" ], "package": "fwupd", "version": "2.0.19-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139611 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 12:12:45 +0100" }, { "cves": [], "log": [ "", " * d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch: Make fwupdmgr", " verify snapd recovery key through prompt on updates affecting FDE.", " (LP: #2138609)", "" ], "package": "fwupd", "version": "2.0.19-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138609 ], "author": "Simon Johnsson ", "date": "Thu, 22 Jan 2026 16:38:17 +0100" }, { "cves": [], "log": [ "", " * New upstream version (2.0.19)", "" ], "package": "fwupd", "version": "2.0.19-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Sat, 20 Dec 2025 22:13:58 -0600" }, { "cves": [], "log": [ "", " * New upstream version (2.0.18)", " * Drop upstream patches", "" ], "package": "fwupd", "version": "2.0.18-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Sat, 20 Dec 2025 22:06:57 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan1:riscv64", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.10.1", "version": "1.1.2-8ubuntu1~25.10.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.10.2", "version": "1.1.2-8ubuntu1~25.10.2" }, "cves": [], "launchpad_bugs_fixed": [ 2139598 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP: #2139598)", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~25.10.2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2139598 ], "author": "Robert Malz ", "date": "Tue, 03 Mar 2026 12:41:47 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnss-systemd:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-libc-dev:riscv64", "from_version": { "source_package_name": "linux", "source_package_version": "6.17.0-19.19", "version": "6.17.0-19.19" }, "to_version": { "source_package_name": "linux", "source_package_version": "6.17.0-20.20", "version": "6.17.0-20.20" }, "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144297 ], "changes": [ { "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * questing/linux: 6.17.0-20.20 -proposed tracker (LP: #2144297)", "", " * CVE-2026-23074", " - net/sched: Enforce that teql can only be used as root qdisc", "", " * CVE-2026-23060", " - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN", " spec", "", " * CVE-2026-23111", " - netfilter: nf_tables: fix inverted genmask check in", " nft_map_catchall_activate()", "" ], "package": "linux", "version": "6.17.0-20.20", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2144297 ], "author": "Manuel Diewald ", "date": "Fri, 13 Mar 2026 16:27:25 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-perf", "from_version": { "source_package_name": "linux", "source_package_version": "6.17.0-19.19", "version": "6.17.0-19.19" }, "to_version": { "source_package_name": "linux", "source_package_version": "6.17.0-20.20", "version": "6.17.0-20.20" }, "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144297 ], "changes": [ { "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * questing/linux: 6.17.0-20.20 -proposed tracker (LP: #2144297)", "", " * CVE-2026-23074", " - net/sched: Enforce that teql can only be used as root qdisc", "", " * CVE-2026-23060", " - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN", " spec", "", " * CVE-2026-23111", " - netfilter: nf_tables: fix inverted genmask check in", " nft_map_catchall_activate()", "" ], "package": "linux", "version": "6.17.0-20.20", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2144297 ], "author": "Manuel Diewald ", "date": "Fri, 13 Mar 2026 16:27:25 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-common", "from_version": { "source_package_name": "linux", "source_package_version": "6.17.0-19.19", "version": "6.17.0-19.19" }, "to_version": { "source_package_name": "linux", "source_package_version": "6.17.0-20.20", "version": "6.17.0-20.20" }, "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144297 ], "changes": [ { "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * questing/linux: 6.17.0-20.20 -proposed tracker (LP: #2144297)", "", " * CVE-2026-23074", " - net/sched: Enforce that teql can only be used as root qdisc", "", " * CVE-2026-23060", " - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN", " spec", "", " * CVE-2026-23111", " - netfilter: nf_tables: fix inverted genmask check in", " nft_map_catchall_activate()", "" ], "package": "linux", "version": "6.17.0-20.20", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2144297 ], "author": "Manuel Diewald ", "date": "Fri, 13 Mar 2026 16:27:25 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "lshw", "from_version": { "source_package_name": "lshw", "source_package_version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu1", "version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu1" }, "to_version": { "source_package_name": "lshw", "source_package_version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu1.1", "version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127480 ], "changes": [ { "cves": [], "log": [ "", " * Fix incorrect fb detection (LP: #2127480):", " - d/p/lp2127480-0001-improve-fb-detection.patch", " - d/p/lp2127480-0002-another-try-at-fixing-the-Github-fbdev-issue.patch", "" ], "package": "lshw", "version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu1.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2127480 ], "author": "Robert Malz ", "date": "Fri, 10 Oct 2025 16:08:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.10.1", "version": "1.1.2-8ubuntu1~25.10.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.10.2", "version": "1.1.2-8ubuntu1~25.10.2" }, "cves": [], "launchpad_bugs_fixed": [ 2139598 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP: #2139598)", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~25.10.2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2139598 ], "author": "Robert Malz ", "date": "Tue, 03 Mar 2026 12:41:47 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.10.1", "version": "1.1.2-8ubuntu1~25.10.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.10.2", "version": "1.1.2-8ubuntu1~25.10.2" }, "cves": [], "launchpad_bugs_fixed": [ 2139598 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP: #2139598)", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~25.10.2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2139598 ], "author": "Robert Malz ", "date": "Tue, 03 Mar 2026 12:41:47 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "pollinate", "from_version": { "source_package_name": "pollinate", "source_package_version": "4.33-4ubuntu4", "version": "4.33-4ubuntu4" }, "to_version": { "source_package_name": "pollinate", "source_package_version": "4.33-4ubuntu4.2", "version": "4.33-4ubuntu4.2" }, "cves": [], "launchpad_bugs_fixed": [ 2146451 ], "changes": [ { "cves": [], "log": [ "", " * Remove certificate pinning (LP: #2146451)", " - Curl will now use the system ca-certificates to validate the server", " cert which will allow a graceful transition during the upcoming", " certificate renewal and prevent machines from booting without", " seeded entropy.", "" ], "package": "pollinate", "version": "4.33-4ubuntu4.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [ 2146451 ], "author": "Marc Deslauriers ", "date": "Thu, 26 Mar 2026 08:25:57 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-jwt", "from_version": { "source_package_name": "pyjwt", "source_package_version": "2.10.1-2", "version": "2.10.1-2" }, "to_version": { "source_package_name": "pyjwt", "source_package_version": "2.10.1-2ubuntu0.1", "version": "2.10.1-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-32597", "url": "https://ubuntu.com/security/CVE-2026-32597", "cve_description": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.", "cve_priority": "medium", "cve_public_date": "2026-03-13 19:55:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-32597", "url": "https://ubuntu.com/security/CVE-2026-32597", "cve_description": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.", "cve_priority": "medium", "cve_public_date": "2026-03-13 19:55:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Incorrect authorization of invalid JWS token.", " - debian/patches/CVE-2026-32597.patch: Add _supported_crit and checks", " for valid crit header in jwt/api_jws.py. Add tests in", " tests/test_api_jws.py and tests/test_api_jwt.py.", " - CVE-2026-32597", "" ], "package": "pyjwt", "version": "2.10.1-2ubuntu0.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 26 Mar 2026 10:29:25 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.10.1", "version": "1.1.2-8ubuntu1~25.10.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.10.2", "version": "1.1.2-8ubuntu1~25.10.2" }, "cves": [], "launchpad_bugs_fixed": [ 2139598 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP: #2139598)", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~25.10.2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2139598 ], "author": "Robert Malz ", "date": "Tue, 03 Mar 2026 12:41:47 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-openssl", "from_version": { "source_package_name": "pyopenssl", "source_package_version": "25.0.0-1", "version": "25.0.0-1" }, "to_version": { "source_package_name": "pyopenssl", "source_package_version": "25.0.0-1ubuntu0.1", "version": "25.0.0-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-27448", "url": "https://ubuntu.com/security/CVE-2026-27448", "cve_description": "pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.", "cve_priority": "low", "cve_public_date": "2026-03-18 00:16:00 UTC" }, { "cve": "CVE-2026-27459", "url": "https://ubuntu.com/security/CVE-2026-27459", "cve_description": "pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.", "cve_priority": "medium", "cve_public_date": "2026-03-18 00:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-27448", "url": "https://ubuntu.com/security/CVE-2026-27448", "cve_description": "pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.", "cve_priority": "low", "cve_public_date": "2026-03-18 00:16:00 UTC" }, { "cve": "CVE-2026-27459", "url": "https://ubuntu.com/security/CVE-2026-27459", "cve_description": "pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.", "cve_priority": "medium", "cve_public_date": "2026-03-18 00:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Unhandled exceptions in set_tlsext_servername_callback", " - debian/patches/CVE-2026-27448.patch: handle exceptions in callbacks", " in src/OpenSSL/SSL.py, tests/test_ssl.py.", " - CVE-2026-27448", " * SECURITY UPDATE: Buffer overflow via DTLS cookie callback", " - debian/patches/CVE-2026-27459.patch: fix buffer overflow in DTLS", " cookie generation callback in src/OpenSSL/SSL.py, tests/test_ssl.py.", " - CVE-2026-27459", "" ], "package": "pyopenssl", "version": "25.0.0-1ubuntu0.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 18 Mar 2026 13:26:12 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-pyasn1", "from_version": { "source_package_name": "pyasn1", "source_package_version": "0.6.1-1ubuntu0.1", "version": "0.6.1-1ubuntu0.1" }, "to_version": { "source_package_name": "pyasn1", "source_package_version": "0.6.1-1ubuntu0.2", "version": "0.6.1-1ubuntu0.2" }, "cves": [ { "cve": "CVE-2026-30922", "url": "https://ubuntu.com/security/CVE-2026-30922", "cve_description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with \"Indefinite Length\" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.", "cve_priority": "medium", "cve_public_date": "2026-03-18 04:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-30922", "url": "https://ubuntu.com/security/CVE-2026-30922", "cve_description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with \"Indefinite Length\" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.", "cve_priority": "medium", "cve_public_date": "2026-03-18 04:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: DoS via uncontrolled recursion", " - debian/patches/CVE-2026-30922.patch: limit nesting depth in", " pyasn1/codec/ber/decoder.py, tests/codec/ber/test_decoder.py,", " tests/codec/cer/test_decoder.py, tests/codec/der/test_decoder.py.", " - CVE-2026-30922", "" ], "package": "pyasn1", "version": "0.6.1-1ubuntu0.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 23 Mar 2026 12:10:36 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-cryptsetup", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "tzdata", "from_version": { "source_package_name": "tzdata", "source_package_version": "2025b-3ubuntu1.1", "version": "2025b-3ubuntu1.1" }, "to_version": { "source_package_name": "tzdata", "source_package_version": "2026a-0ubuntu0.25.10.1", "version": "2026a-0ubuntu0.25.10.1" }, "cves": [], "launchpad_bugs_fixed": [ 2143355 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release (LP: #2143355)", " * Add autopkgtest test case for 2025c and 2026a release", " * Update the ICU timezone data to 2026a", " * Add autopkgtest test case for ICU timezone data 2026a", "" ], "package": "tzdata", "version": "2026a-0ubuntu0.25.10.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2143355 ], "author": "Benjamin Drung ", "date": "Mon, 16 Mar 2026 12:51:54 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.10 questing image from daily image serial 20260320 to 20260401", "from_series": "questing", "to_series": "questing", "from_serial": "20260320", "to_serial": "20260401", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }