Several security updates have been released for Ubuntu to address vulnerabilities in various software packages, including FreeRDP, Expat, .NET, alsa-lib, and GnuTLS. The updates affect multiple releases of Ubuntu, including 25.10, 24.04 LTS, 22.04 LTS, 20.04 LTS, and 18.04 LTS. Vulnerabilities were discovered in FreeRDP that could allow attackers to cause denial of service or execute arbitrary code, while Expat had issues with XML parsing and .NET had a vulnerability related to bypassing security checks. alsa-lib was found to have a topology mixer control decoder issue, and GnuTLS had problems with malicious certificates and PKCS11 token labels.

[USN-8042-1] FreeRDP vulnerabilities
[USN-8022-2] Expat vulnerabilities
[USN-8025-2] .NET vulnerability
[USN-8044-1] alsa-lib vulnerability
[USN-8043-1] GnuTLS vulnerabilities

[USN-8042-1] FreeRDP vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8042-1
February 16, 2026

freerdp2, freerdp3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in FreeRDP.

Software Description:
- freerdp3: RDP client for Windows Terminal Services
- freerdp2: RDP client for Windows Terminal Services

Details:

It was discovered that FreeRDP incorrectly handled memory under certain
circumstances, which could lead to a NULL pointer dereference. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2026-23948)

It was discovered that FreeRDP did not correctly validate the size of
certain variables, which could cause a buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected FreeRDP3 in Ubuntu 24.04 LTS and Ubuntu
25.10. (CVE-2026-24491)

It was discovered that FreeRDP did not correctly validate the size of
certain variables, which could cause a buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. (CVE-2026-24675, CVE-2026-24679, CVE-2026-24682)

It was discovered that FreeRDP had a use after free vulnerability under
certain circumstances. An attacker could use this to cause a denial of
service or possibly execute arbitrary code. (CVE-2026-24676,
CVE-2026-24681)

It was discovered that FreeRDP did not correctly validate the size of
certain variables, which could cause a buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected Ubuntu 25.10. (CVE-2026-24677)

It was discovered that FreeRDP had a use after free vulnerability under
certain circumstances. An attacker could use this to cause a denial of
service or possibly execute arbitrary code. This issue only affected
Ubuntu 25.10. (CVE-2026-24678)

It was discovered that FreeRDP had a use after free vulnerability under
certain circumstances. An attacker could use this to cause a denial of
service or possibly execute arbitrary code. This issue only affected
FreeRDP3 in Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-24680)

It was discovered that FreeRDP had a use after free vulnerability under
certain circumstances. An attacker could use this to cause a denial of
service or possibly execute arbitrary code. This issue only affected
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2026-24683, CVE-2026-24684)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
freerdp3-x11 3.16.0+dfsg-2ubuntu0.1
libfreerdp3-3 3.16.0+dfsg-2ubuntu0.1

Ubuntu 24.04 LTS
freerdp2-x11 2.11.5+dfsg1-1ubuntu0.1~esm5
Available with Ubuntu Pro
freerdp3-x11 3.5.1+dfsg1-0ubuntu1.2
libfreerdp2-2t64 2.11.5+dfsg1-1ubuntu0.1~esm5
Available with Ubuntu Pro
libfreerdp3-3 3.5.1+dfsg1-0ubuntu1.2

Ubuntu 22.04 LTS
freerdp2-x11 2.6.1+dfsg1-3ubuntu2.10
libfreerdp2-2 2.6.1+dfsg1-3ubuntu2.10

Ubuntu 20.04 LTS
freerdp2-x11 2.6.1+dfsg1-0ubuntu0.20.04.2+esm3
Available with Ubuntu Pro
libfreerdp2-2 2.6.1+dfsg1-0ubuntu0.20.04.2+esm3
Available with Ubuntu Pro

Ubuntu 18.04 LTS
freerdp2-x11 2.2.0+dfsg1-0ubuntu0.18.04.4+esm5
Available with Ubuntu Pro
libfreerdp2-2 2.2.0+dfsg1-0ubuntu0.18.04.4+esm5
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8042-1
CVE-2026-23948, CVE-2026-24491, CVE-2026-24675, CVE-2026-24676,
CVE-2026-24677, CVE-2026-24678, CVE-2026-24679, CVE-2026-24680,
CVE-2026-24681, CVE-2026-24682, CVE-2026-24683, CVE-2026-24684

Package Information:
https://launchpad.net/ubuntu/+source/freerdp3/3.16.0+dfsg-2ubuntu0.1
https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-3ubuntu2.10

[USN-8022-2] Expat vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8022-2
February 16, 2026

expat vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in Expat.

Software Description:
- expat: XML parsing C library

Details:

USN-8022-1 fixed vulnerabilities in Expat. This update provides the
corresponding updates for Ubuntu 24.04 LTS.

Original advisory details:

It was discovered that Expat incorrectly handled the initialization of parsers
for external entities. An attacker could possibly use this issue to cause a
denial of service. (CVE-2026-24515)

It was discovered that Expat incorrectly handled integer calculations when
allocating memory for XML tags. An attacker could possibly use this issue to
cause a denial of service or execute arbitrary code. (CVE-2026-25210)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
expat 2.6.1-2ubuntu0.4
libexpat1 2.6.1-2ubuntu0.4

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8022-2
https://ubuntu.com/security/notices/USN-8022-1
CVE-2026-24515, CVE-2026-25210

Package Information:
https://launchpad.net/ubuntu/+source/expat/2.6.1-2ubuntu0.4

[USN-8025-2] .NET vulnerability

==========================================================================
Ubuntu Security Notice USN-8025-2
February 16, 2026

dotnet8, dotnet10 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

.NET could be made to bypass security features.

Software Description:
- dotnet10: .NET CLI tools and runtime
- dotnet8: .NET CLI tools and runtime

Details:

USN 8025-1 fixed a vulnerability in .NET. This update provides the
corresponding fix for Ubuntu 24.04 LTS.

Original advisory details:

Kevin Jones discovered that the System.Security.Cryptography.Cose
component in .NET did not properly handle certain missing special
elements in input data. An attacker could possibly use this issue to
bypass security checks and gain unauthorized access or perform data
manipulation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
aspnetcore-runtime-10.0 10.0.3-0ubuntu1~24.04.1
aspnetcore-runtime-8.0 8.0.24-0ubuntu1~24.04.1
dotnet-host-10.0 10.0.3-0ubuntu1~24.04.1
dotnet-host-8.0 8.0.24-0ubuntu1~24.04.1
dotnet-hostfxr-10.0 10.0.3-0ubuntu1~24.04.1
dotnet-hostfxr-8.0 8.0.24-0ubuntu1~24.04.1
dotnet-runtime-10.0 10.0.3-0ubuntu1~24.04.1
dotnet-runtime-8.0 8.0.24-0ubuntu1~24.04.1
dotnet-sdk-10.0 10.0.103-0ubuntu1~24.04.1
dotnet-sdk-8.0 8.0.124-0ubuntu1~24.04.1
dotnet-sdk-aot-10.0 10.0.103-0ubuntu1~24.04.1
dotnet10 10.0.103-10.0.3-0ubuntu1~24.04.1
dotnet8 8.0.124-8.0.24-0ubuntu1~24.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8025-2
https://ubuntu.com/security/notices/USN-8025-1
CVE-2026-21218

Package Information:
https://launchpad.net/ubuntu/+source/dotnet10/10.0.103-10.0.3-0ubuntu1~24.04.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.124-8.0.24-0ubuntu1~24.04.1

[USN-8044-1] alsa-lib vulnerability

==========================================================================
Ubuntu Security Notice USN-8044-1
February 16, 2026

alsa-lib vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

alsa-lib could be made to crash or run programs if it opened a specially
crafted file.

Software Description:
- alsa-lib: shared library for ALSA applications

Details:

It was discovered that alsa-lib incorrectly handled the topology mixer
control decoder. A local attacker could use a specially crafted topology
file to cause alsa-lib to crash, resulting in a denial of service, or
possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
libasound2t64 1.2.14-1ubuntu1.1

Ubuntu 24.04 LTS
libasound2t64 1.2.11-1ubuntu0.2

Ubuntu 22.04 LTS
libasound2 1.2.6.1-1ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8044-1
CVE-2026-25068

Package Information:
https://launchpad.net/ubuntu/+source/alsa-lib/1.2.14-1ubuntu1.1
https://launchpad.net/ubuntu/+source/alsa-lib/1.2.11-1ubuntu0.2
https://launchpad.net/ubuntu/+source/alsa-lib/1.2.6.1-1ubuntu1.1

[USN-8043-1] GnuTLS vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8043-1
February 16, 2026

gnutls28 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in GnuTLS.

Software Description:
- gnutls28: GNU TLS library

Details:

Tim Scheckenbach discovered that GnuTLS incorrectly handled malicious
certificates containing a large number of name constraints and subject
alternative names. A remote attacker could possibly use this issue to
cause GnuTLS to consume resources, resulting in a denial of service.
(CVE-2025-14831)

Luigino Camastra discovered that GnuTLS incorrectly handled certain PKCS11
token labels. A remote attacker could use this issue to cause GnuTLS to
crash, resulting in a denial of service, or possibly execute arbitrary
code. The default compiler options for affected releases should reduce the
vulnerability to a denial of service. (CVE-2025-9820)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
libgnutls30t64 3.8.9-3ubuntu2.1

Ubuntu 24.04 LTS
libgnutls30t64 3.8.3-1.1ubuntu3.5

Ubuntu 22.04 LTS
libgnutls30 3.7.3-4ubuntu1.8

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8043-1
CVE-2025-14831, CVE-2025-9820

Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.8.9-3ubuntu2.1
https://launchpad.net/ubuntu/+source/gnutls28/3.8.3-1.1ubuntu3.5
https://launchpad.net/ubuntu/+source/gnutls28/3.7.3-4ubuntu1.8