[USN-8104-1] Flask vulnerability
[USN-8102-2] snapd regression
[USN-8106-1] Valkey vulnerabilities
[USN-8098-3] Linux kernel vulnerabilities
[USN-8107-1] Linux kernel (AWS FIPS) vulnerabilities
[USN-8103-1] Exiv2 vulnerabilities
[USN-8097-2] roundcube regression
[USN-8108-1] Bouncy Castle vulnerabilities
[USN-8105-1] FreeRDP vulnerabilities
[USN-8104-1] Flask vulnerability
==========================================================================
Ubuntu Security Notice USN-8104-1
March 18, 2026
flask vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Flask could be made to expose sensitive information over the
network.
Software Description:
- flask: Micro web framework based on Werkzeug and Jinja2
Details:
Shourya Jaiswal discovered that Flask did not correctly mark certain web
responses as user-specific. A remote attacker could possibly use this
issue to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-flask 3.0.2-1ubuntu1.1
Ubuntu 22.04 LTS
python3-flask 2.0.1-2ubuntu1.2
Ubuntu 20.04 LTS
python3-flask 1.1.1-2ubuntu0.1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8104-1
CVE-2026-27205
Package Information:
https://launchpad.net/ubuntu/+source/flask/3.0.2-1ubuntu1.1
https://launchpad.net/ubuntu/+source/flask/2.0.1-2ubuntu1.2
[USN-8102-2] snapd regression
==========================================================================
Ubuntu Security Notice USN-8102-2
March 17, 2026
snapd regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
USN-8102-1 introduced a regression in snapd
Software Description:
- snapd: Daemon and tooling that enable snap packages
Details:
USN-8102-1 fixed a vulnerability in snapd. The update caused a regresision for
Ubuntu 24.04 LTS while installing the package. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Qualys discovered that snapd incorrectly handled certain operations in the
snap's private /tmp directory. If systemd-tmpfiles is enabled to automatically
clean up this directory, a local attacker could possibly use this issue to
re-create the deleted directory, resulting in privilege escalation.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
snapd 2.73+ubuntu24.04.2
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8102-2
https://ubuntu.com/security/notices/USN-8102-1
CVE-2026-3888, https://launchpad.net/bugs/2144728
Package Information:
https://launchpad.net/ubuntu/+source/snapd/2.73+ubuntu24.04.2
[USN-8106-1] Valkey vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8106-1
March 18, 2026
valkey vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in Valkey.
Software Description:
- valkey: Persistent key-value database with network interface
Details:
It was discovered that Valkey incorrectly handled errors for lua scripts.
An attacker could possibly use this issue to inject arbitrary information
into the response stream for other clients. (CVE-2025-67733)
It was discovered that Valkey incorrectly handled malformed cluster bus
messages. A remote attacker could possibly use this issue to cause Valkey
to crash, resulting in a denial of service. (CVE-2026-21863)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
valkey-server 8.1.6+dfsg1-0ubuntu0.1
Ubuntu 24.04 LTS
valkey-server 7.2.12+dfsg1-0ubuntu0.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-8106-1
CVE-2025-67733, CVE-2026-21863
Package Information:
https://launchpad.net/ubuntu/+source/valkey/8.1.6+dfsg1-0ubuntu0.1
https://launchpad.net/ubuntu/+source/valkey/7.2.12+dfsg1-0ubuntu0.1
[USN-8098-3] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8098-3
March 18, 2026
linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-oracle, linux-oracle-5.4,
linux-xilinx-zynqmp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
Details:
Qualys discovered that several vulnerabilities existed in the AppArmor
Linux kernel Security Module (LSM). An unprivileged local attacker could
use these issues to load, replace, and remove arbitrary AppArmor profiles
causing denial of service, exposure of sensitive information (kernel
memory), local privilege escalation, or possibly escape a container.
(LP: #2143853)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- x86 architecture;
- GPIO subsystem;
- GPU drivers;
- MMC subsystem;
- BTRFS file system;
- XFRM subsystem;
- IPv4 networking;
- IPv6 networking;
- MAC80211 subsystem;
- SMC sockets;
(CVE-2021-47599, CVE-2022-48875, CVE-2022-49072, CVE-2022-49267,
CVE-2024-49927, CVE-2024-56640, CVE-2025-21780, CVE-2025-40215)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1074-xilinx-zynqmp 5.4.0-1074.78
Available with Ubuntu Pro
linux-image-5.4.0-1154-oracle 5.4.0-1154.164
Available with Ubuntu Pro
linux-image-5.4.0-1156-aws 5.4.0-1156.166
Available with Ubuntu Pro
linux-image-aws-5.4 5.4.0.1156.153
Available with Ubuntu Pro
linux-image-aws-lts-20.04 5.4.0.1156.153
Available with Ubuntu Pro
linux-image-oracle-5.4 5.4.0.1154.148
Available with Ubuntu Pro
linux-image-oracle-lts-20.04 5.4.0.1154.148
Available with Ubuntu Pro
linux-image-xilinx-zynqmp 5.4.0.1074.74
Available with Ubuntu Pro
linux-image-xilinx-zynqmp-5.4 5.4.0.1074.74
Available with Ubuntu Pro
Ubuntu 18.04 LTS
linux-image-5.4.0-1154-oracle 5.4.0-1154.164~18.04.1
Available with Ubuntu Pro
linux-image-5.4.0-1156-aws 5.4.0-1156.166~18.04.1
Available with Ubuntu Pro
linux-image-5.4.0-1159-gcp 5.4.0-1159.168~18.04.1
Available with Ubuntu Pro
linux-image-aws 5.4.0.1156.166~18.04.1
Available with Ubuntu Pro
linux-image-aws-5.4 5.4.0.1156.166~18.04.1
Available with Ubuntu Pro
linux-image-gcp 5.4.0.1159.168~18.04.1
Available with Ubuntu Pro
linux-image-gcp-5.4 5.4.0.1159.168~18.04.1
Available with Ubuntu Pro
linux-image-oracle 5.4.0.1154.164~18.04.1
Available with Ubuntu Pro
linux-image-oracle-5.4 5.4.0.1154.164~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-8098-3
https://ubuntu.com/security/notices/USN-8098-2
https://ubuntu.com/security/notices/USN-8098-1
https://launchpad.net/bugs/2143853
CVE-2021-47599, CVE-2022-48875, CVE-2022-49072, CVE-2022-49267,
CVE-2024-49927, CVE-2024-56640, CVE-2025-21780, CVE-2025-40215,
[USN-8107-1] Linux kernel (AWS FIPS) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8107-1
March 18, 2026
linux-aws-fips vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws-fips: Linux kernel for Amazon Web Services (AWS) systems with FIPS
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- x86 architecture;
- GPIO subsystem;
- GPU drivers;
- MMC subsystem;
- BTRFS file system;
- XFRM subsystem;
- IPv4 networking;
- IPv6 networking;
- MAC80211 subsystem;
- SMC sockets;
(CVE-2021-47599, CVE-2022-48875, CVE-2022-49072, CVE-2022-49267,
CVE-2024-49927, CVE-2024-56640, CVE-2025-21780, CVE-2025-40215)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1155-aws-fips 5.4.0-1155.165+fips1
Available with Ubuntu Pro
linux-image-aws-fips 5.4.0.1155.102
Available with Ubuntu Pro
linux-image-aws-fips-5.4 5.4.0.1155.102
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-8107-1
CVE-2021-47599, CVE-2022-48875, CVE-2022-49072, CVE-2022-49267,
CVE-2024-49927, CVE-2024-56640, CVE-2025-21780, CVE-2025-40215
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws-fips/5.4.0-1155.165+fips1
[USN-8103-1] Exiv2 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8103-1
March 18, 2026
exiv2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Exiv2.
Software Description:
- exiv2: EXIF/IPTC/XMP metadata manipulation tool
Details:
It was discovered that Exiv2 did not correctly handle reading certain
buffers. An attacker could possibly use this issue to leak sensitive
information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04
LTS. (CVE-2020-18771)
Wen Cheng discovered that Exiv2 did not correctly handle certain memory
allocation. If a user or system were tricked into opening a specially
crafted file, an attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2020-18899)
It was discovered that Exiv2 did not correctly handle writing certain
metadata. If a user or system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to cause a denial of
service. (CVE-2025-54080)
It was discovered that Exiv2 did not correctly handle parsing certain
metadata. If a user or system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,
Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-55304)
It was discovered that Exiv2 did not correctly handle parsing certain
images. If a user or system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to cause a denial of
service. (CVE-2026-25884)
It was discovered that Exiv2 did not correctly handle previewing certain
images. An attacker could possibly use this issue to cause a denial of
service. (CVE-2026-27596)
It was discovered that Exiv2 did not correctly handle certain integer
arithmetic. An attacker could possibly use this issue to cause a denial of
service. (CVE-2026-27631)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
exiv2 0.28.5+dfsg-1ubuntu0.1
Ubuntu 24.04 LTS
exiv2 0.27.6-1ubuntu0.1
Ubuntu 22.04 LTS
exiv2 0.27.5-3ubuntu1.1
Ubuntu 20.04 LTS
exiv2 0.27.2-8ubuntu2.7+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
exiv2 0.25-3.1ubuntu0.18.04.11+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
exiv2 0.25-2.1ubuntu16.04.7+esm5
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8103-1
CVE-2020-18771, CVE-2020-18899, CVE-2025-54080, CVE-2025-55304,
CVE-2026-25884, CVE-2026-27596, CVE-2026-27631
Package Information:
https://launchpad.net/ubuntu/+source/exiv2/0.28.5+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/exiv2/0.27.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/exiv2/0.27.5-3ubuntu1.1
[USN-8097-2] roundcube regression
==========================================================================
Ubuntu Security Notice USN-8097-2
March 18, 2026
roundcube regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
USN-8097-1 introduced a regression in roundcube
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapack
Details:
USN-8097-1 fixed a vulnerability in roundcube. The update caused
a regression affecting the HTML sanitizer, preventing Roundcube from rendering
any email message body. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Roundcube Webmail did not properly sanitize the
animate tag within SVG documents. An attacker could possibly use
this issue to cause a cross-site scripting attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm7
Available with Ubuntu Pro
roundcube-plugins 1.4.3+dfsg.1-1ubuntu0.1~esm7
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8097-2
https://ubuntu.com/security/notices/USN-8097-1
https://launchpad.net/bugs/2144682
[USN-8108-1] Bouncy Castle vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8108-1
March 18, 2026
bouncycastle vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Bouncy Castle.
Software Description:
- bouncycastle: Java implementation of cryptographic algorithms
Details:
It was discovered that Bouncy Castle did not sanitize user input when
inserting it into an LDAP search filter. An attacker could possibly use
this issue to perform an LDAP injection attack. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2023-33201)
It was discovered that Bouncy Castle incorrectly handled specially crafted
F2m parameters in the ECCurve algorithm. An attacker could possibly use
this issue to cause Bouncy Castle to use excessive resources, leading to a
denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-29857)
It was discovered that Bouncy Castle leaked timing information when
handling exceptions during an RSA handshake. An attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
(CVE-2024-30171)
It was discovered that Bouncy Castle incorrectly handled endpoint
identification with an SSL socket enabled without an explicit hostname. An
attacker could possibly use this issue to perform a DNS poisoning attack.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2024-34447)
Bing Shi discovered that Bouncy Castle incorrectly handled resource memory
allocation. An attacker could possibly use this issue to cause Bouncy
Castle to use excessive resources, leading to a denial of service. This
issue only affected Ubuntu 24.04 LTS. (CVE-2025-8916)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libbcjmail-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcmail-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpg-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpkix-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcprov-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbctls-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcutil-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libbcmail-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpg-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpkix-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
libbcprov-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
libbctls-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libbcmail-java 1.61-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpg-java 1.61-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpkix-java 1.61-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcprov-java 1.61-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libbcmail-java 1.59-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpg-java 1.59-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpkix-java 1.59-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcprov-java 1.59-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libbcmail-java 1.51-4ubuntu1+esm1
Available with Ubuntu Pro
libbcpg-java 1.51-4ubuntu1+esm1
Available with Ubuntu Pro
libbcpkix-java 1.51-4ubuntu1+esm1
Available with Ubuntu Pro
libbcprov-java 1.51-4ubuntu1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8108-1
CVE-2023-33201, CVE-2024-29857, CVE-2024-30171, CVE-2024-30172,
CVE-2024-34447, CVE-2025-8916
[USN-8105-1] FreeRDP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8105-1
March 18, 2026
freerdp3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in FreeRDP.
Software Description:
- freerdp3: RDP client for Windows Terminal Services
Details:
It was discovered that FreeRDP incorrectly handled certain RDP packets. A
remote attacker could use this issue to cause FreeRDP to crash, resulting
in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
libfreerdp3-3 3.16.0+dfsg-2ubuntu0.3
Ubuntu 24.04 LTS
libfreerdp3-3 3.5.1+dfsg1-0ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8105-1
CVE-2026-22851, CVE-2026-22852, CVE-2026-22853, CVE-2026-22854,
CVE-2026-22855, CVE-2026-22856, CVE-2026-22857, CVE-2026-22858,
CVE-2026-22859, CVE-2026-23530, CVE-2026-23531, CVE-2026-23532,
CVE-2026-23533, CVE-2026-23534, CVE-2026-23732, CVE-2026-23883,
CVE-2026-23884, CVE-2026-25941, CVE-2026-25942, CVE-2026-25952,
CVE-2026-25953, CVE-2026-25954, CVE-2026-25955, CVE-2026-25959,
CVE-2026-25997, CVE-2026-26271, CVE-2026-26955, CVE-2026-26965,
CVE-2026-26986, CVE-2026-27015, CVE-2026-27950, CVE-2026-27951
Package Information:
https://launchpad.net/ubuntu/+source/freerdp3/3.16.0+dfsg-2ubuntu0.3
https://launchpad.net/ubuntu/+source/freerdp3/3.5.1+dfsg1-0ubuntu1.4
