[USN-8216-1] .NET vulnerabilities
[USN-8215-1] .NET vulnerability
[USN-8087-3] python-cryptography vulnerability
[USN-8221-1] wheel vulnerability
[USN-8195-3] PackageKit vulnerability
[USN-8222-1] OpenSSH vulnerabilities
[USN-8224-1] Linux kernel (BlueField) vulnerabilities
[USN-8223-1] Roundcube Webmail vulnerabilities
[USN-8216-1] .NET vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8216-1
April 28, 2026
dotnet10 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
Summary:
Several security issues were fixed in .NET.
Software Description:
Details:
Ludvig Pedersen discovered that the System.Security.Cryptography.Xml
library in .NET incorrectly handled certain XML inputs. An attacker could
possibly use this issue to consume excessive resources, resulting in a
denial of service. (CVE-2026-33116, CVE-2026-26171)
Ludvig Pedersen and Kevin Jones discovered that the
System.Security.Cryptography.Xml library in .NET incorrectly handled
certain XML inputs. An attacker could possibly use this issue to cause
.NET to crash, resulting in a denial of service. (CVE-2026-32203)
Ludvig Pedersen discovered that the System.Net.Mail component in .NET
incorrectly handled certain inputs. An attacker could possibly use this
issue to perform a network spoofing attack. (CVE-2026-32178)
It was discovered that the Microsoft.AspNetCore.DataProtection library in
.NET did not properly verify cryptographic signatures under certain
conditions. A remote attacker could possibly use this issue to elevate
privileges. (CVE-2026-40372)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
After a standard system update, it is recommended to rotate the
DataProtection key ring.
References:
https://ubuntu.com/security/notices/USN-8216-1
CVE-2026-26171, CVE-2026-32178, CVE-2026-32203, CVE-2026-33116,
CVE-2026-40372
[USN-8215-1] .NET vulnerability
==========================================================================
Ubuntu Security Notice USN-8215-1
April 28, 2026
dotnet10 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
Summary:
.NET could be made to crash or run programs as an administrator.
Software Description:
- dotnet10: .NET CLI tools and runtime
Details:
It was discovered that the Microsoft.AspNetCore.DataProtection library in
.NET did not properly verify cryptographic signatures under certain
conditions. A remote attacker could possibly use this issue to elevate
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
aspnetcore-runtime-10.0 10.0.7-0ubuntu1~25.10.1
dotnet-host-10.0 10.0.7-0ubuntu1~25.10.1
dotnet-hostfxr-10.0 10.0.7-0ubuntu1~25.10.1
dotnet-runtime-10.0 10.0.7-0ubuntu1~25.10.1
dotnet-sdk-10.0 10.0.107-0ubuntu1~25.10.1
dotnet-sdk-aot-10.0 10.0.107-0ubuntu1~25.10.1
dotnet10 10.0.107-10.0.7-0ubuntu1~25.10.1
Ubuntu 24.04 LTS
aspnetcore-runtime-10.0 10.0.7-0ubuntu1~24.04.1
dotnet-host-10.0 10.0.7-0ubuntu1~24.04.1
dotnet-hostfxr-10.0 10.0.7-0ubuntu1~24.04.1
dotnet-runtime-10.0 10.0.7-0ubuntu1~24.04.1
dotnet-sdk-10.0 10.0.107-0ubuntu1~24.04.1
dotnet-sdk-aot-10.0 10.0.107-0ubuntu1~24.04.1
dotnet10 10.0.107-10.0.7-0ubuntu1~24.04.1
After a standard system update, it is recommended to rotate the
DataProtection key ring.
References:
https://ubuntu.com/security/notices/USN-8215-1
CVE-2026-40372
Package Information:
https://launchpad.net/ubuntu/+source/dotnet10/10.0.107-10.0.7-0ubuntu1~25.10.1
https://launchpad.net/ubuntu/+source/dotnet10/10.0.107-10.0.7-0ubuntu1~24.04.1
[USN-8087-3] python-cryptography vulnerability
==========================================================================
Ubuntu Security Notice USN-8087-3
April 28, 2026
python-cryptography vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
python-cryptography could be made to expose sensitive information over the
network.
Software Description:
- python-cryptography: Cryptography Python library
Details:
USN-8087-1 fixed a vulnerability in python-cryptography. This update
provides the corresponding update to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,
and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that python-cryptography incorrectly handled subgroup
validation for SECT curves. A remote attacker could use this issue to
perform a subgroup attack and possibly recover the least significant bits
of private keys.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
python-cryptography 2.8-3ubuntu0.3+esm2
Available with Ubuntu Pro
python3-cryptography 2.8-3ubuntu0.3+esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python-cryptography 2.1.4-1ubuntu1.4+esm3
Available with Ubuntu Pro
python3-cryptography 2.1.4-1ubuntu1.4+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-cryptography 1.2.3-1ubuntu0.3+esm3
Available with Ubuntu Pro
python3-cryptography 1.2.3-1ubuntu0.3+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8087-3
https://ubuntu.com/security/notices/USN-8087-2
https://ubuntu.com/security/notices/USN-8087-1
CVE-2026-26007
[USN-8221-1] wheel vulnerability
==========================================================================
Ubuntu Security Notice USN-8221-1
April 29, 2026
wheel vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
wheel could be made to crash or run programs as your login if it opened a
specially crafted file.
Software Description:
- wheel: Command line tool for manipulating Python wheel files
Details:
It was discovered that wheel did not correctly handle certain file paths.
If a user or automated system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python-wheel-common 0.42.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
python3-wheel 0.42.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
python3-wheel-whl 0.42.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8221-1
CVE-2026-24049
[USN-8195-3] PackageKit vulnerability
==========================================================================
Ubuntu Security Notice USN-8195-3
April 29, 2026
packagekit vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
PackageKit could be made to install packages as the administrator.
Software Description:
- packagekit: Provides a package management service
Details:
USN-8195-1 fixed a vulnerability in PackageKit. This update provides
the corresponding fix to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that PackageKit incorrectly handled certain transactions.
A local attacker could use this issue to install arbitrary packages as
root, possibly resulting in privilege escalation.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
packagekit 1.1.13-2ubuntu1.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
packagekit 1.1.9-1ubuntu2.18.04.6+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
packagekit 0.8.17-4ubuntu6~gcc5.4ubuntu1.5+esm1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8195-3
https://ubuntu.com/security/notices/USN-8195-2
https://ubuntu.com/security/notices/USN-8195-1
CVE-2026-41651
[USN-8222-1] OpenSSH vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8222-1
April 29, 2026
openssh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in OpenSSH.
Software Description:
- openssh: secure shell (SSH) for secure access to remote machines
Details:
Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly
handled the legacy scp protocol (-O) option. This could result in certain
files being installed setuid or setgid, contrary to expectations.
(CVE-2026-35385)
Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell
metacharacters in usernames within a command line. When untrusted usernames
and non-default configurations using % in ssh_config are being used, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-35386)
Christos Papakonstantinou discovered that OpenSSH incorrectly handled
parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
options. This could result in unintended ECDSA algorithms being used,
contrary to expectations. (CVE-2026-35387)
Michalis Vasileiadis discovered that OpenSSH incorrectly handled
proxy-mode multiplexing sessions. This could result in no confirmation
being asked, contrary to expectations. (CVE-2026-35388)
Vladimir Tokarev discovered that OpenSSH incorrectly handled certificates
with the principal name containing a comma character when using user-trusted
CA keys in authorized_keys and an authorized_keys principals="" option
that lists more than one principal. This could result in inappropriate
principal matching, contrary to expectations. (CVE-2026-35414)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openssh-client 1:10.2p1-2ubuntu3.2
openssh-server 1:10.2p1-2ubuntu3.2
Ubuntu 25.10
openssh-client 1:10.0p1-5ubuntu5.4
openssh-server 1:10.0p1-5ubuntu5.4
Ubuntu 24.04 LTS
openssh-client 1:9.6p1-3ubuntu13.16
openssh-server 1:9.6p1-3ubuntu13.16
Ubuntu 22.04 LTS
openssh-client 1:8.9p1-3ubuntu0.15
openssh-server 1:8.9p1-3ubuntu0.15
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8222-1
CVE-2026-35385, CVE-2026-35386, CVE-2026-35387, CVE-2026-35388,
CVE-2026-35414
Package Information:
https://launchpad.net/ubuntu/+source/openssh/1:10.2p1-2ubuntu3.2
https://launchpad.net/ubuntu/+source/openssh/1:10.0p1-5ubuntu5.4
https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.16
https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.15
[USN-8224-1] Linux kernel (BlueField) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8224-1
April 29, 2026
linux-bluefield vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-bluefield: Linux kernel for NVIDIA BlueField platforms
Details:
Qualys discovered that several vulnerabilities existed in the AppArmor
Linux kernel Security Module (LSM). An unprivileged local attacker could
use these issues to load, replace, and remove arbitrary AppArmor profiles
causing denial of service, exposure of sensitive information (kernel
memory), local privilege escalation, or possibly escape a container.
(LP: #2143853, CVE-2026-23268, CVE-2026-23269, CVE-2026-23403,
CVE-2026-23404, CVE-2026-23405, CVE-2026-23406, CVE-2026-23407,
CVE-2026-23408, CVE-2026-23409, CVE-2026-23410, CVE-2026-23411)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- x86 architecture;
- Cryptographic API;
- GPU drivers;
- I2C subsystem;
- BTRFS file system;
- XFRM subsystem;
- Padata parallel execution mechanism;
- IPv4 networking;
- IPv6 networking;
- MAC80211 subsystem;
- Netfilter;
- Network traffic control;
- SMC sockets;
(CVE-2021-47599, CVE-2022-48875, CVE-2022-49046, CVE-2022-49698,
CVE-2024-46816, CVE-2024-49927, CVE-2024-56640, CVE-2025-21726,
CVE-2025-21780, CVE-2025-37849, CVE-2025-40019, CVE-2025-40215,
CVE-2026-23060, CVE-2026-23074)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1116-bluefield 5.4.0-1116.123
Available with Ubuntu Pro
linux-image-bluefield 5.4.0.1116.112
Available with Ubuntu Pro
linux-image-bluefield-5.4 5.4.0.1116.112
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-8224-1
https://launchpad.net/bugs/2143853
CVE-2021-47599, CVE-2022-48875, CVE-2022-49046, CVE-2022-49698,
CVE-2024-46816, CVE-2024-49927, CVE-2024-56640, CVE-2025-21726,
CVE-2025-21780, CVE-2025-37849, CVE-2025-40019, CVE-2025-40215,
CVE-2026-23060, CVE-2026-23074, CVE-2026-23268, CVE-2026-23269,
CVE-2026-23403, CVE-2026-23404, CVE-2026-23405, CVE-2026-23406,
CVE-2026-23407, CVE-2026-23409, CVE-2026-23410, CVE-2026-23411,
[USN-8223-1] Roundcube Webmail vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8223-1
April 29, 2026
roundcube vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Roundcube Webmail.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapackage
Details:
It was discovered that Roundcube Webmail mishandled Punycode xn-- domain names.
An attacker could possibly use this issue to cause a homograph attack. (CVE-2019-15237)
It was discovered that Roundcube Webmail did not properly sanitize certain
attributes when handling CSS within HTML messages and certain SVG attributes.
An attacker could possibly use this issue to cause a cross-site scripting attack.
(CVE-2024-38356, CVE-2024-38357)
It was discovered that Roundcube Webmail did not properly sanitize certain HTML
attributes when rendering e-mail messages. An attacker could possibly use this
issue to cause a cross-site scripting attack. (CVE-2024-42008)
It was discovered that Roundcube Webmail did not properly filter certain CSS token
sequences within rendered e-mail messages. An attacker could possibly use this
issue to obtain sensitive information. (CVE-2024-42010)
It was discovered that Roundcube Webmail did not properly treat an SVG
tag as an image source within its HTML sanitizer. An attacker could possibly use
this issue to bypass remote image blocking to track email open actions or
potentially bypass access control. (CVE-2026-25916)
It was discovered that Roundcube Webmail did not properly handle comments within
Cascading Style Sheets (CSS). An attacker could possibly use this issue to perform
a CSS injection attack. (CVE-2026-26079)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
roundcube-core 1.6.6+dfsg-2ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 22.04 LTS
roundcube-core 1.5.0+dfsg.1-2ubuntu0.1~esm6
Available with Ubuntu Pro
roundcube-plugins 1.5.0+dfsg.1-2ubuntu0.1~esm6
Available with Ubuntu Pro
Ubuntu 20.04 LTS
roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm8
Available with Ubuntu Pro
roundcube-plugins 1.4.3+dfsg.1-1ubuntu0.1~esm8
Available with Ubuntu Pro
Ubuntu 18.04 LTS
roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm8
Available with Ubuntu Pro
roundcube-plugins 1.3.6+dfsg.1-1ubuntu0.1~esm8
Available with Ubuntu Pro
Ubuntu 16.04 LTS
roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm8
Available with Ubuntu Pro
roundcube-plugins 1.2~beta+dfsg.1-0ubuntu1+esm8
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8223-1
CVE-2019-15237, CVE-2024-38356, CVE-2024-38357, CVE-2024-42008,
CVE-2024-42010, CVE-2026-25916, CVE-2026-26079
