Ubuntu 7146 Published by

Ubuntu issued a wide-ranging security update, targeting dozens of vulnerabilities across its 14.04 through 26.04 LTS operating systems. The patches resolve critical flaws in the Raspberry Pi Linux kernel that could enable unauthorized system access, alongside dangerous memory corruption bugs in curl, libheif, and libsoup that risk data theft and service outages.

[USN-8492-4] Linux kernel (Raspberry Pi) vulnerabilities
[USN-8490-2] Linux kernel (Raspberry Pi) vulnerabilities
[USN-8522-1] LibRaw vulnerabilities
[USN-8521-1] Libidn vulnerability
[USN-8524-1] Python vulnerability
[USN-8520-1] Expat vulnerability
[USN-8519-1] Go Cryptography vulnerabilities
[USN-8525-1] curl vulnerabilities
[USN-8526-1] libheif vulnerabilities
[USN-8523-1] libsoup vulnerabilities




[USN-8492-4] Linux kernel (Raspberry Pi) vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8492-4
July 09, 2026

linux-raspi vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-raspi: Linux kernel for Raspberry Pi systems

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- MIPS architecture;
- PowerPC architecture;
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- ACPI drivers;
- ATM drivers;
- RNBD block device driver;
- Ublk userspace block driver;
- Bus devices;
- Character device driver;
- TPM device driver;
- Clock framework and drivers;
- Clocksource drivers;
- CPU idle management framework;
- Hardware crypto device drivers;
- DMA engine subsystem;
- EFI core;
- GPIO subsystem;
- GPU drivers;
- HID subsystem;
- Hardware monitoring drivers;
- IIO subsystem;
- InfiniBand drivers;
- IOMMU subsystem;
- Multiple devices driver;
- Media drivers;
- Multifunction device drivers;
- Broadcom VK accelerator driver;
- MOST (Media Oriented Systems Transport) drivers;
- MTD block device drivers;
- Ethernet bonding driver;
- Network drivers;
- Mellanox network drivers;
- STMicroelectronics network drivers;
- NTB driver;
- NVME drivers;
- PCI subsystem;
- Performance monitor drivers;
- Pin controllers subsystem;
- x86 platform drivers;
- Power supply drivers;
- RapidIO drivers;
- RAS (Reliability, Availability, Serviceability) subsystem;
- Remote Processor subsystem;
- RPMSG subsystem;
- S/390 drivers;
- SCSI subsystem;
- MediaTek SoC drivers;
- Texas Instruments SoC drivers;
- SPI subsystem;
- Greybus lights staging drivers;
- Realtek RTL8723BS SDIO drivers;
- UFS subsystem;
- ChipIdea USB driver;
- DesignWare USB3 driver;
- USB over IP driver;
- vDPA drivers;
- Virtio Host (VHOST) subsystem;
- Framebuffer layer;
- BTRFS file system;
- File systems infrastructure;
- Ceph distributed file system;
- Ext4 file system;
- F2FS file system;
- FAT file system;
- GFS2 file system;
- HFS+ file system;
- JFS file system;
- Network file system (NFS) server daemon;
- NILFS2 file system;
- NTFS3 file system;
- OCFS2 file system;
- Proc file system;
- Pstore file system;
- Diskquota system;
- SMB network file system;
- XFS file system;
- Audit subsystem;
- Memory Management;
- IPv6 networking;
- Netfilter;
- Tracing infrastructure;
- Kernel kexec() syscall;
- RCU subsystem;
- Scheduler infrastructure;
- Scatterlist API;
- 9P file system network protocol;
- Asynchronous Transfer Mode (ATM) subsystem;
- B.A.T.M.A.N. meshing protocol;
- Bluetooth subsystem;
- Ethernet bridge;
- Ceph Core library;
- Networking core;
- IPv4 networking;
- KCM (Kernel Connection Multiplexor) sockets driver;
- Multipath TCP;
- NFC subsystem;
- RDS protocol;
- RxRPC session sockets;
- Network traffic control;
- SMC sockets;
- Sun RPC protocol;
- X.25 network layer;
- XFRM subsystem;
- AppArmor security module;
- Simplified Mandatory Access Control Kernel framework;
- SOF drivers;
- USB sound devices;
(CVE-2025-40005, CVE-2025-71229, CVE-2025-71231, CVE-2025-71232,
CVE-2025-71233, CVE-2025-71235, CVE-2025-71236, CVE-2025-71237,
CVE-2025-71238, CVE-2025-71239, CVE-2025-71265, CVE-2025-71266,
CVE-2025-71267, CVE-2025-71272, CVE-2025-71273, CVE-2025-71274,
CVE-2025-71286, CVE-2025-71291, CVE-2025-71292, CVE-2025-71294,
CVE-2025-71295, CVE-2025-71297, CVE-2025-71304, CVE-2025-71305,
CVE-2026-23100, CVE-2026-23169, CVE-2026-23220, CVE-2026-23221,
CVE-2026-23222, CVE-2026-23228, CVE-2026-23229, CVE-2026-23230,
CVE-2026-23233, CVE-2026-23234, CVE-2026-23235, CVE-2026-23236,
CVE-2026-23237, CVE-2026-23238, CVE-2026-23241, CVE-2026-23242,
CVE-2026-23243, CVE-2026-23249, CVE-2026-23266, CVE-2026-23267,
CVE-2026-23272, CVE-2026-23278, CVE-2026-23392, CVE-2026-23428,
CVE-2026-23450, CVE-2026-23455, CVE-2026-31402, CVE-2026-31411,
CVE-2026-31418, CVE-2026-31436, CVE-2026-31448, CVE-2026-31478,
CVE-2026-31607, CVE-2026-31637, CVE-2026-31649, CVE-2026-31657,
CVE-2026-31659, CVE-2026-31668, CVE-2026-31669, CVE-2026-31682,
CVE-2026-31685, CVE-2026-31687, CVE-2026-31693, CVE-2026-43011,
CVE-2026-43037, CVE-2026-43038, CVE-2026-43071, CVE-2026-43114,
CVE-2026-43117, CVE-2026-43123, CVE-2026-43124, CVE-2026-43128,
CVE-2026-43130, CVE-2026-43132, CVE-2026-43133, CVE-2026-43134,
CVE-2026-43135, CVE-2026-43136, CVE-2026-43137, CVE-2026-43139,
CVE-2026-43140, CVE-2026-43141, CVE-2026-43143, CVE-2026-43145,
CVE-2026-43147, CVE-2026-43148, CVE-2026-43149, CVE-2026-43150,
CVE-2026-43152, CVE-2026-43153, CVE-2026-43156, CVE-2026-43157,
CVE-2026-43158, CVE-2026-43159, CVE-2026-43163, CVE-2026-43167,
CVE-2026-43168, CVE-2026-43169, CVE-2026-43170, CVE-2026-43171,
CVE-2026-43173, CVE-2026-43175, CVE-2026-43180, CVE-2026-43182,
CVE-2026-43183, CVE-2026-43184, CVE-2026-43186, CVE-2026-43187,
CVE-2026-43189, CVE-2026-43190, CVE-2026-43194, CVE-2026-43196,
CVE-2026-43199, CVE-2026-43200, CVE-2026-43201, CVE-2026-43202,
CVE-2026-43203, CVE-2026-43205, CVE-2026-43206, CVE-2026-43207,
CVE-2026-43209, CVE-2026-43211, CVE-2026-43212, CVE-2026-43214,
CVE-2026-43215, CVE-2026-43218, CVE-2026-43221, CVE-2026-43222,
CVE-2026-43223, CVE-2026-43225, CVE-2026-43226, CVE-2026-43227,
CVE-2026-43230, CVE-2026-43231, CVE-2026-43232, CVE-2026-43233,
CVE-2026-43236, CVE-2026-43238, CVE-2026-43239, CVE-2026-43241,
CVE-2026-43242, CVE-2026-43244, CVE-2026-43246, CVE-2026-43248,
CVE-2026-43249, CVE-2026-43250, CVE-2026-43251, CVE-2026-43253,
CVE-2026-43255, CVE-2026-43256, CVE-2026-43257, CVE-2026-43258,
CVE-2026-43261, CVE-2026-43262, CVE-2026-43264, CVE-2026-43266,
CVE-2026-43268, CVE-2026-43269, CVE-2026-43270, CVE-2026-43271,
CVE-2026-43273, CVE-2026-43275, CVE-2026-43277, CVE-2026-43278,
CVE-2026-43279, CVE-2026-43283, CVE-2026-43287, CVE-2026-43288,
CVE-2026-43289, CVE-2026-43291, CVE-2026-43295, CVE-2026-43296,
CVE-2026-43297, CVE-2026-43300, CVE-2026-43302, CVE-2026-43304,
CVE-2026-43312, CVE-2026-43313, CVE-2026-43314, CVE-2026-43315,
CVE-2026-43316, CVE-2026-43317, CVE-2026-43318, CVE-2026-43319,
CVE-2026-43320, CVE-2026-43341, CVE-2026-43378, CVE-2026-43383,
CVE-2026-43384, CVE-2026-43406, CVE-2026-43407, CVE-2026-43414,
CVE-2026-43493, CVE-2026-43501, CVE-2026-45847, CVE-2026-45848,
CVE-2026-45849, CVE-2026-45851, CVE-2026-45852, CVE-2026-45856,
CVE-2026-45857, CVE-2026-45859, CVE-2026-45860, CVE-2026-45861,
CVE-2026-45862, CVE-2026-45864, CVE-2026-45865, CVE-2026-45866,
CVE-2026-45867, CVE-2026-45868, CVE-2026-45869, CVE-2026-45870,
CVE-2026-45871, CVE-2026-45872, CVE-2026-45873, CVE-2026-45875,
CVE-2026-45877, CVE-2026-45878, CVE-2026-45879, CVE-2026-45880,
CVE-2026-45881, CVE-2026-45882, CVE-2026-45883, CVE-2026-45884,
CVE-2026-45885, CVE-2026-45886, CVE-2026-45890, CVE-2026-45891,
CVE-2026-45893, CVE-2026-45895, CVE-2026-45902, CVE-2026-45904,
CVE-2026-45905, CVE-2026-45910, CVE-2026-45912, CVE-2026-45913,
CVE-2026-45914, CVE-2026-45915, CVE-2026-45916, CVE-2026-45917,
CVE-2026-45919, CVE-2026-45921, CVE-2026-45923, CVE-2026-45928,
CVE-2026-45935, CVE-2026-45936, CVE-2026-45938, CVE-2026-45941,
CVE-2026-45946, CVE-2026-45947, CVE-2026-45948, CVE-2026-45954,
CVE-2026-45957, CVE-2026-45960, CVE-2026-45962, CVE-2026-45964,
CVE-2026-45965, CVE-2026-45968, CVE-2026-45969, CVE-2026-45970,
CVE-2026-45972, CVE-2026-45973, CVE-2026-45974, CVE-2026-45976,
CVE-2026-45978, CVE-2026-45981, CVE-2026-45982, CVE-2026-45983,
CVE-2026-45984, CVE-2026-45988, CVE-2026-46043, CVE-2026-46115,
CVE-2026-46119, CVE-2026-46135, CVE-2026-46185, CVE-2026-46195,
CVE-2026-46243, CVE-2026-46244, CVE-2026-46246, CVE-2026-46247,
CVE-2026-46249, CVE-2026-46250, CVE-2026-46251, CVE-2026-46253,
CVE-2026-46254, CVE-2026-46255, CVE-2026-46259, CVE-2026-46260,
CVE-2026-46261, CVE-2026-46265, CVE-2026-46266, CVE-2026-46267,
CVE-2026-46270, CVE-2026-46289, CVE-2026-46328)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
linux-image-6.8.0-1060-raspi 6.8.0-1060.64
linux-image-raspi 6.8.0-1060.64
linux-image-raspi-6.8 6.8.0-1060.64

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-8492-4
https://ubuntu.com/security/notices/USN-8492-3
https://ubuntu.com/security/notices/USN-8492-2
https://ubuntu.com/security/notices/USN-8492-1
CVE-2025-40005, CVE-2025-71229, CVE-2025-71231, CVE-2025-71232,
CVE-2025-71233, CVE-2025-71235, CVE-2025-71236, CVE-2025-71237,
CVE-2025-71238, CVE-2025-71239, CVE-2025-71265, CVE-2025-71266,
CVE-2025-71267, CVE-2025-71272, CVE-2025-71273, CVE-2025-71274,
CVE-2025-71286, CVE-2025-71291, CVE-2025-71292, CVE-2025-71294,
CVE-2025-71295, CVE-2025-71297, CVE-2025-71304, CVE-2025-71305,
CVE-2026-23100, CVE-2026-23169, CVE-2026-23220, CVE-2026-23221,
CVE-2026-23222, CVE-2026-23228, CVE-2026-23229, CVE-2026-23230,
CVE-2026-23233, CVE-2026-23234, CVE-2026-23235, CVE-2026-23236,
CVE-2026-23237, CVE-2026-23238, CVE-2026-23241, CVE-2026-23242,
CVE-2026-23243, CVE-2026-23249, CVE-2026-23266, CVE-2026-23267,
CVE-2026-23272, CVE-2026-23278, CVE-2026-23392, CVE-2026-23428,
CVE-2026-23450, CVE-2026-23455, CVE-2026-31402, CVE-2026-31411,
CVE-2026-31418, CVE-2026-31436, CVE-2026-31448, CVE-2026-31478,
CVE-2026-31607, CVE-2026-31637, CVE-2026-31649, CVE-2026-31657,
CVE-2026-31659, CVE-2026-31668, CVE-2026-31669, CVE-2026-31682,
CVE-2026-31685, CVE-2026-31687, CVE-2026-31693, CVE-2026-43011,
CVE-2026-43037, CVE-2026-43038, CVE-2026-43071, CVE-2026-43114,
CVE-2026-43117, CVE-2026-43123, CVE-2026-43124, CVE-2026-43128,
CVE-2026-43130, CVE-2026-43132, CVE-2026-43133, CVE-2026-43134,
CVE-2026-43135, CVE-2026-43136, CVE-2026-43137, CVE-2026-43139,
CVE-2026-43140, CVE-2026-43141, CVE-2026-43143, CVE-2026-43145,
CVE-2026-43147, CVE-2026-43148, CVE-2026-43149, CVE-2026-43150,
CVE-2026-43152, CVE-2026-43153, CVE-2026-43156, CVE-2026-43157,
CVE-2026-43158, CVE-2026-43159, CVE-2026-43163, CVE-2026-43167,
CVE-2026-43168, CVE-2026-43169, CVE-2026-43170, CVE-2026-43171,
CVE-2026-43173, CVE-2026-43175, CVE-2026-43180, CVE-2026-43182,
CVE-2026-43183, CVE-2026-43184, CVE-2026-43186, CVE-2026-43187,
CVE-2026-43189, CVE-2026-43190, CVE-2026-43194, CVE-2026-43196,
CVE-2026-43199, CVE-2026-43200, CVE-2026-43201, CVE-2026-43202,
CVE-2026-43203, CVE-2026-43205, CVE-2026-43206, CVE-2026-43207,
CVE-2026-43209, CVE-2026-43211, CVE-2026-43212, CVE-2026-43214,
CVE-2026-43215, CVE-2026-43218, CVE-2026-43221, CVE-2026-43222,
CVE-2026-43223, CVE-2026-43225, CVE-2026-43226, CVE-2026-43227,
CVE-2026-43230, CVE-2026-43231, CVE-2026-43232, CVE-2026-43233,
CVE-2026-43236, CVE-2026-43238, CVE-2026-43239, CVE-2026-43241,
CVE-2026-43242, CVE-2026-43244, CVE-2026-43246, CVE-2026-43248,
CVE-2026-43249, CVE-2026-43250, CVE-2026-43251, CVE-2026-43253,
CVE-2026-43255, CVE-2026-43256, CVE-2026-43257, CVE-2026-43258,
CVE-2026-43261, CVE-2026-43262, CVE-2026-43264, CVE-2026-43266,
CVE-2026-43268, CVE-2026-43269, CVE-2026-43270, CVE-2026-43271,
CVE-2026-43273, CVE-2026-43275, CVE-2026-43277, CVE-2026-43278,
CVE-2026-43279, CVE-2026-43283, CVE-2026-43287, CVE-2026-43288,
CVE-2026-43289, CVE-2026-43291, CVE-2026-43295, CVE-2026-43296,
CVE-2026-43297, CVE-2026-43300, CVE-2026-43302, CVE-2026-43304,
CVE-2026-43312, CVE-2026-43313, CVE-2026-43314, CVE-2026-43315,
CVE-2026-43316, CVE-2026-43317, CVE-2026-43318, CVE-2026-43319,
CVE-2026-43320, CVE-2026-43341, CVE-2026-43378, CVE-2026-43383,
CVE-2026-43384, CVE-2026-43406, CVE-2026-43407, CVE-2026-43414,
CVE-2026-43493, CVE-2026-43501, CVE-2026-45847, CVE-2026-45848,
CVE-2026-45849, CVE-2026-45851, CVE-2026-45852, CVE-2026-45856,
CVE-2026-45857, CVE-2026-45859, CVE-2026-45860, CVE-2026-45861,
CVE-2026-45862, CVE-2026-45864, CVE-2026-45865, CVE-2026-45866,
CVE-2026-45867, CVE-2026-45868, CVE-2026-45869, CVE-2026-45870,
CVE-2026-45871, CVE-2026-45872, CVE-2026-45873, CVE-2026-45875,
CVE-2026-45877, CVE-2026-45878, CVE-2026-45879, CVE-2026-45880,
CVE-2026-45881, CVE-2026-45882, CVE-2026-45883, CVE-2026-45884,
CVE-2026-45885, CVE-2026-45886, CVE-2026-45890, CVE-2026-45891,
CVE-2026-45893, CVE-2026-45895, CVE-2026-45902, CVE-2026-45904,
CVE-2026-45905, CVE-2026-45910, CVE-2026-45912, CVE-2026-45913,
CVE-2026-45914, CVE-2026-45915, CVE-2026-45916, CVE-2026-45917,
CVE-2026-45919, CVE-2026-45921, CVE-2026-45923, CVE-2026-45928,
CVE-2026-45935, CVE-2026-45936, CVE-2026-45938, CVE-2026-45941,
CVE-2026-45946, CVE-2026-45947, CVE-2026-45948, CVE-2026-45954,
CVE-2026-45957, CVE-2026-45960, CVE-2026-45962, CVE-2026-45964,
CVE-2026-45965, CVE-2026-45968, CVE-2026-45969, CVE-2026-45970,
CVE-2026-45972, CVE-2026-45973, CVE-2026-45974, CVE-2026-45976,
CVE-2026-45978, CVE-2026-45981, CVE-2026-45982, CVE-2026-45983,
CVE-2026-45984, CVE-2026-45988, CVE-2026-46043, CVE-2026-46115,
CVE-2026-46119, CVE-2026-46135, CVE-2026-46185, CVE-2026-46195,
CVE-2026-46243, CVE-2026-46244, CVE-2026-46246, CVE-2026-46247,
CVE-2026-46249, CVE-2026-46250, CVE-2026-46251, CVE-2026-46253,
CVE-2026-46254, CVE-2026-46255, CVE-2026-46259, CVE-2026-46260,
CVE-2026-46261, CVE-2026-46265, CVE-2026-46266, CVE-2026-46267,
CVE-2026-46270, CVE-2026-46289, CVE-2026-46328

Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi/6.8.0-1060.64



[USN-8490-2] Linux kernel (Raspberry Pi) vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8490-2
July 09, 2026

linux-raspi vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-raspi: Linux kernel for Raspberry Pi systems

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- Block layer subsystem;
- Cryptographic API;
- DMA engine subsystem;
- InfiniBand drivers;
- STMicroelectronics network drivers;
- Network drivers;
- NVME drivers;
- SCSI subsystem;
- USB over IP driver;
- File systems infrastructure;
- Ext4 file system;
- Network file system (NFS) server daemon;
- SMB network file system;
- Kernel thread helper (kthread);
- IPv6 networking;
- Tracing infrastructure;
- Kernel exit() syscall;
- Scatterlist API;
- B.A.T.M.A.N. meshing protocol;
- Ethernet bridge;
- Ceph Core library;
- IPv4 networking;
- Multipath TCP;
- Netfilter;
- RxRPC session sockets;
- SMC sockets;
- X.25 network layer;
(CVE-2026-22984, CVE-2026-23272, CVE-2026-23278, CVE-2026-23392,
CVE-2026-23427, CVE-2026-23428, CVE-2026-23450, CVE-2026-23455,
CVE-2026-31402, CVE-2026-31418, CVE-2026-31436, CVE-2026-31448,
CVE-2026-31478, CVE-2026-31607, CVE-2026-31635, CVE-2026-31637,
CVE-2026-31649, CVE-2026-31657, CVE-2026-31659, CVE-2026-31668,
CVE-2026-31669, CVE-2026-31682, CVE-2026-31685, CVE-2026-31718,
CVE-2026-43011, CVE-2026-43037, CVE-2026-43038, CVE-2026-43071,
CVE-2026-43083, CVE-2026-43114, CVE-2026-43117, CVE-2026-43125,
CVE-2026-43186, CVE-2026-43197, CVE-2026-43304, CVE-2026-43341,
CVE-2026-43376, CVE-2026-43378, CVE-2026-43383, CVE-2026-43384,
CVE-2026-43402, CVE-2026-43406, CVE-2026-43407, CVE-2026-43414,
CVE-2026-43493, CVE-2026-43501, CVE-2026-45898, CVE-2026-45988,
CVE-2026-46039, CVE-2026-46043, CVE-2026-46115, CVE-2026-46119,
CVE-2026-46135, CVE-2026-46185, CVE-2026-46195, CVE-2026-46243,
CVE-2026-46244, CVE-2026-46266, CVE-2026-46289, CVE-2026-46316,
CVE-2026-46325)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
linux-image-6.17.0-1021-raspi 6.17.0-1021.21
linux-image-raspi 6.17.0-1021.21
linux-image-raspi-6.17 6.17.0-1021.21

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-8490-2
https://ubuntu.com/security/notices/USN-8490-1
CVE-2026-22984, CVE-2026-23272, CVE-2026-23278, CVE-2026-23392,
CVE-2026-23427, CVE-2026-23428, CVE-2026-23450, CVE-2026-23455,
CVE-2026-31402, CVE-2026-31418, CVE-2026-31436, CVE-2026-31448,
CVE-2026-31478, CVE-2026-31607, CVE-2026-31635, CVE-2026-31637,
CVE-2026-31649, CVE-2026-31657, CVE-2026-31659, CVE-2026-31668,
CVE-2026-31669, CVE-2026-31682, CVE-2026-31685, CVE-2026-31718,
CVE-2026-43011, CVE-2026-43037, CVE-2026-43038, CVE-2026-43071,
CVE-2026-43083, CVE-2026-43114, CVE-2026-43117, CVE-2026-43125,
CVE-2026-43186, CVE-2026-43197, CVE-2026-43304, CVE-2026-43341,
CVE-2026-43376, CVE-2026-43378, CVE-2026-43383, CVE-2026-43384,
CVE-2026-43402, CVE-2026-43406, CVE-2026-43407, CVE-2026-43414,
CVE-2026-43493, CVE-2026-43501, CVE-2026-45898, CVE-2026-45988,
CVE-2026-46039, CVE-2026-46043, CVE-2026-46115, CVE-2026-46119,
CVE-2026-46135, CVE-2026-46185, CVE-2026-46195, CVE-2026-46243,
CVE-2026-46244, CVE-2026-46266, CVE-2026-46289, CVE-2026-46316,
CVE-2026-46325

Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi/6.17.0-1021.21



[USN-8522-1] LibRaw vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8522-1
July 09, 2026

libraw vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in LibRaw.

Software Description:
- libraw: raw image decoder library

Details:

It was discovered that LibRaw incorrectly handled certain Nikon RAW image
files. An attacker could possibly use this issue to cause LibRaw to crash,
resulting in a denial of service. (CVE-2026-5342)

It was discovered that LibRaw had an integer overflow in its DNG image
loader. An attacker could possibly use this issue to cause LibRaw to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-20884)

It was discovered that LibRaw incorrectly handled certain X3F thumbnail
data. An attacker could possibly use this issue to cause LibRaw to crash,
resulting in a denial of service, or execute arbitrary code.
(CVE-2026-20889)

It was discovered that LibRaw had a heap-based buffer overflow in its
lossless JPEG image loader. An attacker could possibly use this issue to
cause LibRaw to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-21413)

It was discovered that LibRaw had an integer overflow in its uncompressed
floating-point DNG image loader. An attacker could possibly use this issue
to cause LibRaw to crash, resulting in a denial of service, or execute
arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.04.
(CVE-2026-24450)

It was discovered that LibRaw had a heap-based buffer overflow in its X3F
Huffman decoder. An attacker could possibly use this issue to cause LibRaw
to crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-24660)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
libraw-bin 0.21.5b-1ubuntu1.1
libraw23t64 0.21.5b-1ubuntu1.1

Ubuntu 24.04 LTS
libraw-bin 0.21.2-2.1ubuntu0.24.04.2
libraw23t64 0.21.2-2.1ubuntu0.24.04.2

Ubuntu 22.04 LTS
libraw-bin 0.20.2-2ubuntu2.22.04.3
libraw20 0.20.2-2ubuntu2.22.04.3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8522-1
CVE-2026-20884, CVE-2026-20889, CVE-2026-21413, CVE-2026-24450,
CVE-2026-24660, CVE-2026-5342

Package Information:
https://launchpad.net/ubuntu/+source/libraw/0.21.5b-1ubuntu1.1
https://launchpad.net/ubuntu/+source/libraw/0.21.2-2.1ubuntu0.24.04.2
https://launchpad.net/ubuntu/+source/libraw/0.20.2-2ubuntu2.22.04.3



[USN-8521-1] Libidn vulnerability


==========================================================================
Ubuntu Security Notice USN-8521-1
July 09, 2026

libidn vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Libidn could be made to crash or expose sensitive information if it
received specially crafted input.

Software Description:
- libidn: implementation of IETF IDN specifications

Details:

It was discovered that Libidn incorrectly handled certain internationalized
domain name strings. An attacker could possibly use this issue to obtain
sensitive information or cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
libidn12 1.43-2ubuntu0.26.04.1

Ubuntu 24.04 LTS
libidn12 1.42-1ubuntu0.1

Ubuntu 22.04 LTS
libidn12 1.38-4ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8521-1
CVE-2026-57053

Package Information:
https://launchpad.net/ubuntu/+source/libidn/1.43-2ubuntu0.26.04.1
https://launchpad.net/ubuntu/+source/libidn/1.42-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libidn/1.38-4ubuntu1.1



[USN-8524-1] Python vulnerability


==========================================================================
Ubuntu Security Notice USN-8524-1
July 09, 2026

python2.7, python3.5 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Python could be made to crash if it received specially crafted
input.

Software Description:
- python2.7: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language

Details:

It was discovered that Python did not use sufficient entropy for Expat
hash-flooding protection in the xml.parsers.expat and xml.etree.ElementTree
modules. An attacker could use this to cause a denial of service via a
crafted XML document.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
idle-python2.7 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
idle-python3.5 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
libpython2.7 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
libpython2.7-dev 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
libpython2.7-minimal 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
libpython2.7-stdlib 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
libpython2.7-testsuite 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
libpython3.5 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
libpython3.5-dev 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
libpython3.5-minimal 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
libpython3.5-stdlib 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
libpython3.5-testsuite 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
python2.7 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
python2.7-dev 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
python2.7-doc 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
python2.7-examples 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
python2.7-minimal 2.7.12-1ubuntu0~16.04.18+esm20
Available with Ubuntu Pro
python3.5 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
python3.5-dev 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
python3.5-doc 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
python3.5-examples 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
python3.5-minimal 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro
python3.5-venv 3.5.2-2ubuntu0~16.04.13+esm23
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8524-1
CVE-2026-7210



[USN-8520-1] Expat vulnerability


==========================================================================
Ubuntu Security Notice USN-8520-1
July 09, 2026

expat vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Expat could be made to crash if it received specially crafted input.

Software Description:
- expat: XML parsing C library

Details:

It was discovered that Expat used insufficient entropy when generating
hash salt values for its internal hash table. An attacker could use this
to craft an XML document that triggers hash flooding, leading to a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
libexpat1 2.1.0-7ubuntu0.16.04.5+esm12
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8520-1
CVE-2026-41080



[USN-8519-1] Go Cryptography vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8519-1
July 09, 2026

golang-go.crypto vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Go Cryptography could be made to crash if it received specially crafted
network traffic.

Software Description:
- golang-go.crypto: Supplementary Go cryptography libraries

Details:

Jakub Ciolek and Nicola Murino discovered that Go Cryptography incorrectly
handled SSH agent responses. An attacker could use this to cause a denial
of service. (CVE-2025-47913)

Yuichi Watanabe discovered that Go Cryptography incorrectly handled SSH
key exchanges. An attacker could use this to cause a denial of service.
(CVE-2025-22869)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
golang-golang-x-crypto-dev 1:0.25.0-1ubuntu0.1

Ubuntu 24.04 LTS
golang-golang-x-crypto-dev 1:0.19.0-1ubuntu0.1~esm3
Available with Ubuntu Pro

Ubuntu 22.04 LTS
golang-golang-x-crypto-dev 1:0.0~git20211202.5770296-1ubuntu0.1~esm3
Available with Ubuntu Pro

Ubuntu 20.04 LTS
golang-golang-x-crypto-dev 1:0.0~git20200221.2aa609c-1ubuntu0.1~esm3
Available with Ubuntu Pro

Ubuntu 18.04 LTS
golang-go.crypto-dev 1:0.0~git20170629.0.5ef0053-2ubuntu0.1~esm3
Available with Ubuntu Pro
golang-golang-x-crypto-dev 1:0.0~git20170629.0.5ef0053-2ubuntu0.1~esm3
Available with Ubuntu Pro

Ubuntu 16.04 LTS
golang-go.crypto-dev 1:0.0~git20151201.0.7b85b09-2ubuntu0.1~esm3
Available with Ubuntu Pro
golang-golang-x-crypto-dev 1:0.0~git20151201.0.7b85b09-2ubuntu0.1~esm3
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8519-1
CVE-2025-22869, CVE-2025-47913

Package Information:
https://launchpad.net/ubuntu/+source/golang-go.crypto/1:0.25.0-1ubuntu0.1



[USN-8525-1] curl vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8525-1
July 09, 2026

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Harry Sintonen discovered that curl incorrectly handled credentials when
following HTTP redirects in conjunction with .netrc files. An attacker
could possibly use this issue to obtain sensitive information. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS.
(CVE-2024-11053)

Hiroki Kurosawa discovered that curl incorrectly handled OCSP stapling
responses. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2024-8096)

Joshua Rogers discovered that curl had a use-after-free vulnerability when
resetting and cleaning up HTTP/2 stream handles. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary code. This
issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10.
(CVE-2026-10536)

Quac Tran and Ngoc Hieu discovered that curl incorrectly reused connections
when switching authentication methods to the same host. An attacker could
possibly use this issue to obtain sensitive information or perform
unauthorized actions. This issue only affected Ubuntu 20.04 LTS.
(CVE-2026-5545)

Osama Hamad discovered that curl incorrectly reused SMB connections when
the target share differed between transfers. An attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2026-5773)

Muhamad Arga Reksapati discovered that curl incorrectly forwarded Digest
proxy authentication credentials to a different proxy host. An attacker
could possibly use this issue to obtain sensitive information. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2026-7168)

It was discovered that curl incorrectly skipped SSH host verification
options when using schemeless URLs with --proto-default. An attacker could
possibly use this issue to perform machine-in-the-middle attacks. This
issue only affected Ubuntu 25.04 and Ubuntu 25.10. (CVE-2026-12064)

It was discovered that curl did not enforce an upper bound on memory
allocated for unacknowledged WebSocket PING frames. A remote attacker could
possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 25.10. (CVE-2026-11586)

It was discovered that curl could stall indefinitely when a malicious
HTTP/3 server sent a continuous stream of empty UDP datagrams. A remote
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 25.10. (CVE-2026-11352)

It was discovered that curl could incorrectly continue trusting a native
platform CA store after an application switched the handle to use custom CA
material. An attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 25.10. (CVE-2026-11564)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
curl 8.18.0-1ubuntu2.3
libcurl3t64-gnutls 8.18.0-1ubuntu2.3
libcurl4-gnutls-dev 8.18.0-1ubuntu2.3
libcurl4-openssl-dev 8.18.0-1ubuntu2.3
libcurl4t64 8.18.0-1ubuntu2.3

Ubuntu 25.10
curl 8.14.1-2ubuntu1.5
libcurl3t64-gnutls 8.14.1-2ubuntu1.5
libcurl4-gnutls-dev 8.14.1-2ubuntu1.5
libcurl4-openssl-dev 8.14.1-2ubuntu1.5
libcurl4t64 8.14.1-2ubuntu1.5

Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.11
libcurl3t64-gnutls 8.5.0-2ubuntu10.11
libcurl4-gnutls-dev 8.5.0-2ubuntu10.11
libcurl4-openssl-dev 8.5.0-2ubuntu10.11
libcurl4t64 8.5.0-2ubuntu10.11

Ubuntu 20.04 LTS
curl 7.68.0-1ubuntu2.25+esm5
Available with Ubuntu Pro
libcurl3-gnutls 7.68.0-1ubuntu2.25+esm5
Available with Ubuntu Pro
libcurl3-nss 7.68.0-1ubuntu2.25+esm5
Available with Ubuntu Pro
libcurl4 7.68.0-1ubuntu2.25+esm5
Available with Ubuntu Pro
libcurl4-gnutls-dev 7.68.0-1ubuntu2.25+esm5
Available with Ubuntu Pro
libcurl4-nss-dev 7.68.0-1ubuntu2.25+esm5
Available with Ubuntu Pro
libcurl4-openssl-dev 7.68.0-1ubuntu2.25+esm5
Available with Ubuntu Pro

Ubuntu 18.04 LTS
curl 7.58.0-2ubuntu3.24+esm10
Available with Ubuntu Pro
libcurl3-gnutls 7.58.0-2ubuntu3.24+esm10
Available with Ubuntu Pro
libcurl3-nss 7.58.0-2ubuntu3.24+esm10
Available with Ubuntu Pro
libcurl4 7.58.0-2ubuntu3.24+esm10
Available with Ubuntu Pro
libcurl4-gnutls-dev 7.58.0-2ubuntu3.24+esm10
Available with Ubuntu Pro
libcurl4-nss-dev 7.58.0-2ubuntu3.24+esm10
Available with Ubuntu Pro
libcurl4-openssl-dev 7.58.0-2ubuntu3.24+esm10
Available with Ubuntu Pro

Ubuntu 16.04 LTS
curl 7.47.0-1ubuntu2.19+esm17
Available with Ubuntu Pro
libcurl3 7.47.0-1ubuntu2.19+esm17
Available with Ubuntu Pro
libcurl3-gnutls 7.47.0-1ubuntu2.19+esm17
Available with Ubuntu Pro
libcurl3-nss 7.47.0-1ubuntu2.19+esm17
Available with Ubuntu Pro
libcurl4-gnutls-dev 7.47.0-1ubuntu2.19+esm17
Available with Ubuntu Pro
libcurl4-nss-dev 7.47.0-1ubuntu2.19+esm17
Available with Ubuntu Pro
libcurl4-openssl-dev 7.47.0-1ubuntu2.19+esm17
Available with Ubuntu Pro

Ubuntu 14.04 LTS
curl 7.35.0-1ubuntu2.20+esm21
Available with Ubuntu Pro
libcurl3 7.35.0-1ubuntu2.20+esm21
Available with Ubuntu Pro
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm21
Available with Ubuntu Pro
libcurl3-nss 7.35.0-1ubuntu2.20+esm21
Available with Ubuntu Pro
libcurl4-gnutls-dev 7.35.0-1ubuntu2.20+esm21
Available with Ubuntu Pro
libcurl4-nss-dev 7.35.0-1ubuntu2.20+esm21
Available with Ubuntu Pro
libcurl4-openssl-dev 7.35.0-1ubuntu2.20+esm21
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8525-1
CVE-2024-11053, CVE-2024-8096, CVE-2026-10536, CVE-2026-11352,
CVE-2026-11564, CVE-2026-11586, CVE-2026-12064, CVE-2026-5545,
CVE-2026-5773, CVE-2026-7168

Package Information:
https://launchpad.net/ubuntu/+source/curl/8.18.0-1ubuntu2.3
https://launchpad.net/ubuntu/+source/curl/8.14.1-2ubuntu1.5
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.11



[USN-8526-1] libheif vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8526-1
July 09, 2026

libheif vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10

Summary:

Several security issues were fixed in libheif.

Software Description:
- libheif: An ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and encoder

Details:

Xianrui Dong discovered that libheif had an out-of-bounds read in its
HEIF sequence track parser. An attacker could possibly use this issue
to cause a denial of service or obtain sensitive information. This issue
only affected Ubuntu 26.04 LTS. (CVE-2026-47254)

Junyi Liu discovered that libheif had a null pointer dereference in its
image tiling interface. An attacker could possibly use this issue to
cause a denial of service. (CVE-2026-47709)

Calvin Young and Enoch Chow discovered that libheif had an integer
overflow in its inline mask size calculation. An attacker could
possibly use this issue to cause a denial of service or obtain sensitive
information. (CVE-2026-47714)

Ariel Koren discovered that libheif had an integer underflow in its
grid image tile coordinate transform. An attacker could possibly use
this issue to cause a denial of service or obtain sensitive information.
(CVE-2026-48029)

It was discovered that libheif had a missing bound check in its HEIF
sequence parser, allowing unbounded heap allocation. An attacker could
possibly use this issue to cause a denial of service. (CVE-2026-50142)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
heif-gdk-pixbuf 1.21.2-3ubuntu0.3
heif-thumbnailer 1.21.2-3ubuntu0.3
heif-view 1.21.2-3ubuntu0.3
libheif-dev 1.21.2-3ubuntu0.3
libheif-examples 1.21.2-3ubuntu0.3
libheif-plugin-aomdec 1.21.2-3ubuntu0.3
libheif-plugin-aomenc 1.21.2-3ubuntu0.3
libheif-plugin-dav1d 1.21.2-3ubuntu0.3
libheif-plugin-ffmpegdec 1.21.2-3ubuntu0.3
libheif-plugin-j2kdec 1.21.2-3ubuntu0.3
libheif-plugin-j2kenc 1.21.2-3ubuntu0.3
libheif-plugin-jpegdec 1.21.2-3ubuntu0.3
libheif-plugin-jpegenc 1.21.2-3ubuntu0.3
libheif-plugin-kvazaar 1.21.2-3ubuntu0.3
libheif-plugin-libde265 1.21.2-3ubuntu0.3
libheif-plugin-rav1e 1.21.2-3ubuntu0.3
libheif-plugin-svtenc 1.21.2-3ubuntu0.3
libheif-plugin-x265 1.21.2-3ubuntu0.3
libheif-plugins-all 1.21.2-3ubuntu0.3
libheif1 1.21.2-3ubuntu0.3

Ubuntu 25.10
heif-gdk-pixbuf 1.20.2-1ubuntu0.6
heif-thumbnailer 1.20.2-1ubuntu0.6
heif-view 1.20.2-1ubuntu0.6
libheif-dev 1.20.2-1ubuntu0.6
libheif-examples 1.20.2-1ubuntu0.6
libheif-plugin-aomdec 1.20.2-1ubuntu0.6
libheif-plugin-aomenc 1.20.2-1ubuntu0.6
libheif-plugin-dav1d 1.20.2-1ubuntu0.6
libheif-plugin-ffmpegdec 1.20.2-1ubuntu0.6
libheif-plugin-j2kdec 1.20.2-1ubuntu0.6
libheif-plugin-j2kenc 1.20.2-1ubuntu0.6
libheif-plugin-jpegdec 1.20.2-1ubuntu0.6
libheif-plugin-jpegenc 1.20.2-1ubuntu0.6
libheif-plugin-kvazaar 1.20.2-1ubuntu0.6
libheif-plugin-libde265 1.20.2-1ubuntu0.6
libheif-plugin-rav1e 1.20.2-1ubuntu0.6
libheif-plugin-svtenc 1.20.2-1ubuntu0.6
libheif-plugin-x265 1.20.2-1ubuntu0.6
libheif-plugins-all 1.20.2-1ubuntu0.6
libheif1 1.20.2-1ubuntu0.6

In general, a standard system update will make all the necessary
changes.

References:
https://ubuntu.com/security/notices/USN-8526-1
CVE-2026-47254, CVE-2026-47709, CVE-2026-47714, CVE-2026-48029,
CVE-2026-50142

Package Information:
https://launchpad.net/ubuntu/+source/libheif/1.21.2-3ubuntu0.3
https://launchpad.net/ubuntu/+source/libheif/1.20.2-1ubuntu0.6



[USN-8523-1] libsoup vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8523-1
July 09, 2026

libsoup2.4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in libsoup.

Software Description:
- libsoup2.4: HTTP client/server library for GNOME

Details:

Eric Su and Samuel Dainard discovered that libsoup incorrectly handled
content with zero-length resources. An attacker could possibly use this
issue to trigger a buffer over-read, resulting in information disclosure
or a denial of service. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and
Ubuntu 26.04 LTS. (CVE-2026-2369)

Kona Arctic discovered that libsoup did not properly protect sensitive
cookies when establishing HTTPS tunnels through an HTTP proxy. An
attacker could possibly use this issue to intercept session cookies,
resulting in session hijacking or user impersonation. (CVE-2026-5119)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
libsoup-2.4-1 2.74.3-10.1ubuntu5+esm1
Available with Ubuntu Pro
libsoup-gnome-2.4-1 2.74.3-10.1ubuntu5+esm1
Available with Ubuntu Pro
libsoup2.4-common 2.74.3-10.1ubuntu5+esm1
Available with Ubuntu Pro
libsoup2.4-dev 2.74.3-10.1ubuntu5+esm1
Available with Ubuntu Pro
libsoup2.4-tests 2.74.3-10.1ubuntu5+esm1
Available with Ubuntu Pro

Ubuntu 25.10
libsoup-2.4-1 2.74.3-10.1ubuntu4.1
libsoup-gnome-2.4-1 2.74.3-10.1ubuntu4.1
libsoup2.4-common 2.74.3-10.1ubuntu4.1
libsoup2.4-dev 2.74.3-10.1ubuntu4.1
libsoup2.4-tests 2.74.3-10.1ubuntu4.1

Ubuntu 24.04 LTS
libsoup-2.4-1 2.74.3-6ubuntu1.7
libsoup-gnome-2.4-1 2.74.3-6ubuntu1.7
libsoup2.4-common 2.74.3-6ubuntu1.7
libsoup2.4-dev 2.74.3-6ubuntu1.7
libsoup2.4-tests 2.74.3-6ubuntu1.7

Ubuntu 22.04 LTS
libsoup-gnome2.4-1 2.74.2-3ubuntu0.7
libsoup2.4-1 2.74.2-3ubuntu0.7
libsoup2.4-common 2.74.2-3ubuntu0.7
libsoup2.4-dev 2.74.2-3ubuntu0.7
libsoup2.4-tests 2.74.2-3ubuntu0.7

Ubuntu 20.04 LTS
libsoup-gnome2.4-1 2.70.0-1ubuntu0.5+esm2
Available with Ubuntu Pro
libsoup2.4-1 2.70.0-1ubuntu0.5+esm2
Available with Ubuntu Pro
libsoup2.4-dev 2.70.0-1ubuntu0.5+esm2
Available with Ubuntu Pro
libsoup2.4-tests 2.70.0-1ubuntu0.5+esm2
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libsoup-gnome2.4-1 2.62.1-1ubuntu0.4+esm7
Available with Ubuntu Pro
libsoup2.4-1 2.62.1-1ubuntu0.4+esm7
Available with Ubuntu Pro
libsoup2.4-dev 2.62.1-1ubuntu0.4+esm7
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libsoup-gnome2.4-1 2.52.2-1ubuntu0.3+esm6
Available with Ubuntu Pro
libsoup2.4-1 2.52.2-1ubuntu0.3+esm6
Available with Ubuntu Pro
libsoup2.4-dev 2.52.2-1ubuntu0.3+esm6
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8523-1
CVE-2026-2369, CVE-2026-5119

Package Information:
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.3-10.1ubuntu4.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.3-6ubuntu1.7
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.2-3ubuntu0.7