[USN-8081-1] libpng vulnerabilities
[USN-8082-1] GIMP vulnerabilities
[USN-8085-1] .NET vulnerabilities
[USN-8087-1] python-cryptography vulnerability
[USN-8086-1] FreeType vulnerability
[USN-8091-1] util-linux vulnerability
[USN-8090-2] OpenSSH vulnerabilities
[USN-8092-1] Sudo vulnerability
[USN-8090-1] OpenSSH vulnerabilities
[USN-8089-1] Go Networking vulnerabilities
[USN-8088-1] go-git vulnerabilities
[USN-8081-1] libpng vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8081-1
March 11, 2026
libpng vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in libpng.
Software Description:
- libpng: PNG (Portable Network Graphics) file library
Details:
It was discovered that libpng did not properly handle memory when processing
certain PNG files. An attacker could possibly use this issue to cause libpng
to crash, resulting in a denial of service, or disclose sensitive information.
(CVE-2025-64505)
Joshua Inscoe discovered that libpng did not properly handle memory when
processing certain PNG files. An attacker could possibly use this issue
to cause libpng to crash, resulting in a denial of service, disclose sensitive
information, or execute arbitrary code. (CVE-2026-25646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
libpng12-0 1.2.54-1ubuntu1.1+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libpng12-0 1.2.50-1ubuntu2.14.04.3+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8081-1
CVE-2025-64505, CVE-2026-25646
[USN-8082-1] GIMP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8082-1
March 10, 2026
gimp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in GIMP.
Software Description:
- gimp: GNU Image Manipulation Program
Details:
Michael Randrianantenaina discovered that GIMP incorrectly handled certain
malformed ICO files. An attacker could possibly use this to cause a denial
of service or execute arbitrary code. (CVE-2025-5473)
Seungho Kim discovered that GIMP incorrectly handled certain memory
operations when running the despeckle plugin. An attacker could possibly
use this to cause a denial of service or execute arbitrary code.
(CVE-2025-6035)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
gimp 2.10.36-3ubuntu0.24.04.1+esm3
Available with Ubuntu Pro
libgimp2.0t64 2.10.36-3ubuntu0.24.04.1+esm3
Available with Ubuntu Pro
Ubuntu 22.04 LTS
gimp 2.10.30-1ubuntu0.1+esm3
Available with Ubuntu Pro
libgimp2.0 2.10.30-1ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
gimp 2.10.18-1ubuntu0.1+esm3
Available with Ubuntu Pro
libgimp2.0 2.10.18-1ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
gimp 2.8.22-1ubuntu0.1~esm3
Available with Ubuntu Pro
libgimp2.0 2.8.22-1ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
gimp 2.8.16-1ubuntu1.1+esm3
Available with Ubuntu Pro
libgimp2.0 2.8.16-1ubuntu1.1+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8082-1
CVE-2025-5473, CVE-2025-6035
[USN-8085-1] .NET vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8085-1
March 11, 2026
dotnet8, dotnet9, dotnet10 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in .NET.
Software Description:
- dotnet10: .NET CLI tools and runtime
- dotnet8: .NET CLI tools and runtime
- dotnet9: .NET CLI tools and runtime
Details:
It was discovered that the .NET Microsoft.Bcl.Memory NuGet package did not
properly handle certain malformed Base64Url encoded input. An attacker could
possibly use this issue to cause .NET to crash, resulting in a denial of
service. This issue only affected .NET 9.0 and .NET 10.0. (CVE-2026-26127)
Bartłomiej Dach discovered that .NET's SignalR server component did not
properly manage resource consumption when processing certain messages. An
attacker could possibly use this issue to exhaust internal buffers, resulting
in a denial of service. (CVE-2026-26130)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
aspnetcore-runtime-10.0 10.0.4-0ubuntu1~25.10.1
aspnetcore-runtime-8.0 8.0.25-0ubuntu1~25.10.1
aspnetcore-runtime-9.0 9.0.14-0ubuntu1~25.10.1
dotnet-host-10.0 10.0.4-0ubuntu1~25.10.1
dotnet-host-8.0 8.0.25-0ubuntu1~25.10.1
dotnet-host-9.0 9.0.14-0ubuntu1~25.10.1
dotnet-hostfxr-10.0 10.0.4-0ubuntu1~25.10.1
dotnet-hostfxr-8.0 8.0.25-0ubuntu1~25.10.1
dotnet-hostfxr-9.0 9.0.14-0ubuntu1~25.10.1
dotnet-runtime-10.0 10.0.4-0ubuntu1~25.10.1
dotnet-runtime-8.0 8.0.25-0ubuntu1~25.10.1
dotnet-runtime-9.0 9.0.14-0ubuntu1~25.10.1
dotnet-sdk-10.0 10.0.104-0ubuntu1~25.10.1
dotnet-sdk-8.0 8.0.125-0ubuntu1~25.10.1
dotnet-sdk-9.0 9.0.115-0ubuntu1~25.10.1
dotnet-sdk-aot-10.0 10.0.104-0ubuntu1~25.10.1
dotnet-sdk-aot-9.0 9.0.115-0ubuntu1~25.10.1
dotnet10 10.0.104-10.0.4-0ubuntu1~25.10.1
dotnet8 8.0.125-8.0.25-0ubuntu1~25.10.1
dotnet9 9.0.115-9.0.14-0ubuntu1~25.10.1
Ubuntu 24.04 LTS
aspnetcore-runtime-10.0 10.0.4-0ubuntu1~24.04.1
aspnetcore-runtime-8.0 8.0.25-0ubuntu1~24.04.1
dotnet-host-10.0 10.0.4-0ubuntu1~24.04.1
dotnet-host-8.0 8.0.25-0ubuntu1~24.04.1
dotnet-hostfxr-10.0 10.0.4-0ubuntu1~24.04.1
dotnet-hostfxr-8.0 8.0.25-0ubuntu1~24.04.1
dotnet-runtime-10.0 10.0.4-0ubuntu1~24.04.1
dotnet-runtime-8.0 8.0.25-0ubuntu1~24.04.1
dotnet-sdk-10.0 10.0.104-0ubuntu1~24.04.1
dotnet-sdk-8.0 8.0.125-0ubuntu1~24.04.1
dotnet-sdk-aot-10.0 10.0.104-0ubuntu1~24.04.1
dotnet10 10.0.104-10.0.4-0ubuntu1~24.04.1
dotnet8 8.0.125-8.0.25-0ubuntu1~24.04.1
Ubuntu 22.04 LTS
aspnetcore-runtime-8.0 8.0.25-0ubuntu1~22.04.1
dotnet-host-8.0 8.0.25-0ubuntu1~22.04.1
dotnet-hostfxr-8.0 8.0.25-0ubuntu1~22.04.1
dotnet-runtime-8.0 8.0.25-0ubuntu1~22.04.1
dotnet-sdk-8.0 8.0.125-0ubuntu1~22.04.1
dotnet8 8.0.125-8.0.25-0ubuntu1~22.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8085-1
CVE-2026-26127, CVE-2026-26130
Package Information:
https://launchpad.net/ubuntu/+source/dotnet10/10.0.104-10.0.4-0ubuntu1~25.10.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.125-8.0.25-0ubuntu1~25.10.1
https://launchpad.net/ubuntu/+source/dotnet9/9.0.115-9.0.14-0ubuntu1~25.10.1
https://launchpad.net/ubuntu/+source/dotnet10/10.0.104-10.0.4-0ubuntu1~24.04.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.125-8.0.25-0ubuntu1~24.04.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.125-8.0.25-0ubuntu1~22.04.1
[USN-8087-1] python-cryptography vulnerability
==========================================================================
Ubuntu Security Notice USN-8087-1
March 12, 2026
python-cryptography vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
python-cryptography could be made to expose sensitive information over the
network.
Software Description:
- python-cryptography: Cryptography Python library
Details:
It was discovered that python-cryptography incorrectly handled subgroup
validation for SECT curves. A remote attacker could use this issue to
perform a subgroup attack and possibly recover the least significant bits
of private keys.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
python3-cryptography 43.0.0-1ubuntu1.1
Ubuntu 24.04 LTS
python3-cryptography 41.0.7-4ubuntu0.3
Ubuntu 22.04 LTS
python3-cryptography 3.4.8-1ubuntu2.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8087-1
CVE-2026-26007
Package Information:
https://launchpad.net/ubuntu/+source/python-cryptography/43.0.0-1ubuntu1.1
https://launchpad.net/ubuntu/+source/python-cryptography/41.0.7-4ubuntu0.3
https://launchpad.net/ubuntu/+source/python-cryptography/3.4.8-1ubuntu2.3
[USN-8086-1] FreeType vulnerability
==========================================================================
Ubuntu Security Notice USN-8086-1
March 12, 2026
freetype vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
Summary:
FreeType could be made to leak sensitive information.
Software Description:
- freetype: FreeType 2 is a font engine library
Details:
It was discovered that FreeType did not correctly handle certain integer
arithmetic. An attacker could possibly use this issue to leak sensitive
information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
libfreetype-dev 2.13.3+dfsg-1ubuntu0.1
libfreetype6 2.13.3+dfsg-1ubuntu0.1
Ubuntu 24.04 LTS
libfreetype-dev 2.13.2+dfsg-1ubuntu0.1
libfreetype6 2.13.2+dfsg-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8086-1
CVE-2026-23865
Package Information:
https://launchpad.net/ubuntu/+source/freetype/2.13.3+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/freetype/2.13.2+dfsg-1ubuntu0.1
[USN-8091-1] util-linux vulnerability
==========================================================================
Ubuntu Security Notice USN-8091-1
March 12, 2026
util-linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
util-linux could be made to run programs as an administrator.
Software Description:
- util-linux: miscellaneous system utilities
Details:
It was discovered that the util-linux su utility did not drop capabilities
when being used with the --pty option. While not a security issue by
itself, a local attacker could possibly use the su tool to exploit
vulnerabilities in other applications.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
util-linux 2.41-4ubuntu4.2
Ubuntu 24.04 LTS
util-linux 2.39.3-9ubuntu6.5
Ubuntu 22.04 LTS
util-linux 2.37.2-4ubuntu3.5
Ubuntu 20.04 LTS
util-linux 2.34-0.1ubuntu9.6+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8091-1
https://launchpad.net/bugs/2143850
Package Information:
https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu4.2
https://launchpad.net/ubuntu/+source/util-linux/2.39.3-9ubuntu6.5
https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.5
[USN-8090-2] OpenSSH vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8090-2
March 12, 2026
openssh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in OpenSSH.
Software Description:
- openssh: secure shell (SSH) for secure access to remote machines
Details:
USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the
corresponding updates for Ubuntu 20.04 LTS.
Original advisory details:
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2025-61984)
David Leadbeater discovered that OpenSSH incorrectly handled NULL
characters in ssh:// URIs. When the ProxyCommand is being used, an attacker
could possibly use this issue to execute arbitrary code. (CVE-2025-61985)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
openssh-client 1:8.2p1-4ubuntu0.13+esm1
Available with Ubuntu Pro
openssh-server 1:8.2p1-4ubuntu0.13+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8090-2
https://ubuntu.com/security/notices/USN-8090-1
CVE-2025-61984, CVE-2025-61985, CVE-2026-3497
[USN-8092-1] Sudo vulnerability
==========================================================================
Ubuntu Security Notice USN-8092-1
March 12, 2026
sudo vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Sudo could be made to run programs as an administrator.
Software Description:
- sudo: Provide limited super user privileges to specific users
Details:
It was discovered that Sudo incorrectly checked return codes when dropping
privileges to run the mailer. A local attacker could possibly use this
issue to escalate privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
sudo 1.9.17p2-1ubuntu1.1
Ubuntu 24.04 LTS
sudo 1.9.15p5-3ubuntu5.24.04.2
sudo-ldap 1.9.15p5-3ubuntu5.24.04.2
Ubuntu 22.04 LTS
sudo 1.9.9-1ubuntu2.6
sudo-ldap 1.9.9-1ubuntu2.6
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8092-1
https://launchpad.net/bugs/2143042
Package Information:
https://launchpad.net/ubuntu/+source/sudo/1.9.17p2-1ubuntu1.1
https://launchpad.net/ubuntu/+source/sudo/1.9.15p5-3ubuntu5.24.04.2
https://launchpad.net/ubuntu/+source/sudo/1.9.9-1ubuntu2.6
[USN-8090-1] OpenSSH vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8090-1
March 12, 2026
openssh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in OpenSSH.
Software Description:
- openssh: secure shell (SSH) for secure access to remote machines
Details:
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2025-61984)
David Leadbeater discovered that OpenSSH incorrectly handled NULL
characters in ssh:// URIs. When the ProxyCommand is being used, an attacker
could possibly use this issue to execute arbitrary code. (CVE-2025-61985)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
openssh-client 1:10.0p1-5ubuntu5.1
openssh-server 1:10.0p1-5ubuntu5.1
Ubuntu 24.04 LTS
openssh-client 1:9.6p1-3ubuntu13.15
openssh-server 1:9.6p1-3ubuntu13.15
Ubuntu 22.04 LTS
openssh-client 1:8.9p1-3ubuntu0.14
openssh-server 1:8.9p1-3ubuntu0.14
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8090-1
CVE-2025-61984, CVE-2025-61985, CVE-2026-3497
Package Information:
https://launchpad.net/ubuntu/+source/openssh/1:10.0p1-5ubuntu5.1
https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.15
https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.14
[USN-8089-1] Go Networking vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8089-1
March 12, 2026
golang-golang-x-net vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Go Networking.
Software Description:
- golang-golang-x-net: Supplementary Go networking libraries
Details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker could possibly use this to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-3978)
Sean Ng discovered an error in Go Networking's HTML tag handling. An
attacker could possibly use this to cause a denial of service.
(CVE-2025-22872)
Guido Vranken and Jakub Ciolek discovered that a maliciously crafted HTML
document could exhaust system resources on servers using Go Networking. An
attacker could possibly use this to cause a denial of service.
(CVE-2025-47911)
Guido Vranken discovered that a maliciously crafted HTML document could put
servers using Go Networking into an infinite loop. An attacker could
possibly use this to cause a denial of service. (CVE-2025-58190)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
golang-golang-x-net-dev 1:0.21.0+dfsg-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 22.04 LTS
golang-golang-x-net-dev 1:0.0+git20211209.491a49a+dfsg-1ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8089-1
CVE-2022-27664, CVE-2022-41723, CVE-2023-3978, CVE-2025-22872,
CVE-2025-47911, CVE-2025-58190
[USN-8088-1] go-git vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8088-1
March 12, 2026
golang-github-go-git-go-git vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in go-git.
Software Description:
- golang-github-go-git-go-git: A highly extensible Git implementation in pure Go
Details:
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with local Git repositories. (CVE-2025-21613)
It was discovered that go-git did not properly verify integrity checks for
pack and index files. An attacker could possibly use this issue to cause
go-git to process corrupted repository data, resulting in unexpected errors
or an incorrect repository state. (CVE-2026-25934)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
go-git 5.4.2-4ubuntu0.24.04.3+esm2
Available with Ubuntu Pro
golang-github-go-git-go-git-dev 5.4.2-4ubuntu0.24.04.3+esm2
Available with Ubuntu Pro
Ubuntu 22.04 LTS
go-git 5.4.2-3ubuntu0.1~esm1
Available with Ubuntu Pro
golang-github-go-git-go-git-dev 5.4.2-3ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8088-1
CVE-2023-49568, CVE-2023-49569, CVE-2025-21613, CVE-2025-21614,
CVE-2026-25934
