[USN-8316-1] CableSwig vulnerabilities
[USN-8329-1] FFmpeg vulnerability
[USN-8341-1] OpenJDK 26 vulnerabilities
[USN-8342-1] Vim vulnerability
[USN-8229-2] sed vulnerability
[USN-8339-1] OpenJDK 25 vulnerabilities
[USN-8344-1] pip vulnerabilities
[USN-8340-1] LibreOffice vulnerability
[USN-8343-1] multipart vulnerability
[USN-8338-1] Apache HTTP Server vulnerabilities
[USN-8328-1] OpenJDK 21 vulnerabilities
[USN-8327-1] OpenJDK 17 vulnerabilities
[USN-8333-1] CRaC JDK 21 vulnerabilities
[USN-8334-1] CRaC JDK 25 vulnerabilities
[USN-8332-1] CRaC JDK 17 vulnerabilities
[USN-8330-1] OpenJDK 8 vulnerabilities
[USN-8331-1] OpenJDK 11 vulnerabilities
[USN-8337-1] QtSvg vulnerabilities
[USN-8336-1] PHP vulnerabilities
[USN-8335-1] pyOpenSSL vulnerability
[USN-8316-1] CableSwig vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8316-1
May 27, 2026
cableswig vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in CableSwig.
Software Description:
- cableswig: Generate wrappers for Python and Tcl from C++ code
Details:
It was discovered that Expat, vendored in CableSwig, incorrectly handled
certain files. An attacker could possibly use this issue to cause a crash
or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
cableswig 0.1.0+git20150808-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8316-1
CVE-2022-25235, CVE-2022-25236
[USN-8329-1] FFmpeg vulnerability
==========================================================================
Ubuntu Security Notice USN-8329-1
May 28, 2026
ffmpeg vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
FFmpeg could be made to crash if it received specially crafted input.
Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files
Details:
It was discovered that the FFmpeg CAF decoder incorrectly handled certain
file size calculations. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
ffmpeg 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libavcodec-extra60 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libavcodec60 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libavdevice60 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libavfilter-extra9 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libavfilter9 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libavformat-extra60 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libavformat60 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libavutil58 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libpostproc57 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libswresample4 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
libswscale7 7:6.1.1-3ubuntu5+esm8
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8329-1
CVE-2024-36617
[USN-8341-1] OpenJDK 26 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8341-1
May 28, 2026
openjdk-26 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
Summary:
Several security issues were fixed in OpenJDK 26.
Software Description:
- openjdk-26: Open Source Java implementation
Details:
Thomas Beckers discovered that the JAXP component of OpenJDK 26 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the Networking component of OpenJDK 26 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-34282)
It was discovered that the JSSE component of OpenJDK 26 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could
possibly use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of OpenJDK 26 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2026-22013)
It was discovered that the 2D component of OpenJDK 26 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could
possibly use this issue to obtain sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of OpenJDK 26 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to modify data. (CVE-2026-22008)
It was discovered that the Libraries component of OpenJDK 26 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-22018)
Ken Pyle discovered that the Security component of OpenJDK 26 did not
correctly authenticate certain APIs. A local attacker could possibly
use this issue to obtain sensitive information.
(CVE-2026-22007, CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-26-jdk 26.0.1+8-2~26.04.2
openjdk-26-jdk-headless 26.0.1+8-2~26.04.2
openjdk-26-jre 26.0.1+8-2~26.04.2
openjdk-26-jre-headless 26.0.1+8-2~26.04.2
openjdk-26-jre-zero 26.0.1+8-2~26.04.2
Ubuntu 25.10
openjdk-26-jdk 26.0.1+8-2~25.10.2
openjdk-26-jdk-headless 26.0.1+8-2~25.10.2
openjdk-26-jre 26.0.1+8-2~25.10.2
openjdk-26-jre-headless 26.0.1+8-2~25.10.2
openjdk-26-jre-zero 26.0.1+8-2~25.10.2
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running
Java applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8341-1
CVE-2026-22007, CVE-2026-22008, CVE-2026-22013, CVE-2026-22016,
CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268,
CVE-2026-34282
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-26/26.0.1+8-2~26.04.2
https://launchpad.net/ubuntu/+source/openjdk-26/26.0.1+8-2~25.10.2
[USN-8342-1] Vim vulnerability
==========================================================================
Ubuntu Security Notice USN-8342-1
May 28, 2026
vim vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Vim could be made to run arbitrary programs if it opened a specially
crafted file.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim did not properly handle backticks in tag
filenames. An attacker could possibly use this issue to execute
arbitrary commands.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
vim 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
vim-athena 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
vim-common 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
vim-gtk 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
vim-gtk3 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
vim-nox 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
vim-runtime 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
vim-tiny 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
xxd 2:8.1.2269-1ubuntu5.32+esm6
Available with Ubuntu Pro
Ubuntu 18.04 LTS
vim 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
vim-athena 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
vim-common 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
vim-gnome 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
vim-gtk 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
vim-gtk3 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
vim-nox 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
vim-runtime 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
vim-tiny 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
xxd 2:8.0.1453-1ubuntu1.13+esm18
Available with Ubuntu Pro
Ubuntu 16.04 LTS
vim 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-athena 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-athena-py2 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-common 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-gnome 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-gnome-py2 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-gtk 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-gtk-py2 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-gtk3 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-gtk3-py2 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-nox 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-nox-py2 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-runtime 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
vim-tiny 2:7.4.1689-3ubuntu1.5+esm33
Available with Ubuntu Pro
Ubuntu 14.04 LTS
vim 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
vim-athena 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
vim-common 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
vim-gnome 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
vim-gtk 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
vim-lesstif 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
vim-nox 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
vim-runtime 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
vim-tiny 2:7.4.052-1ubuntu3.1+esm27
Available with Ubuntu Pro
In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-8342-1
CVE-2026-41411
[USN-8229-2] sed vulnerability
==========================================================================
Ubuntu Security Notice USN-8229-2
May 28, 2026
sed vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
sed could be made to overwrite files.
Software Description:
- sed: GNU stream editor for filtering/transforming text
Details:
USN-8229-1 fixed a vulnerability in sed. This update provides the
corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
Michał Majchrowicz and Marcin Wyczechowski discovered that sed
incorrectly handled symbolic links when performing in-place edits.
A local attacker could possibly use this issue to overwrite
arbitrary files.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
sed 4.7-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
sed 4.4-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8229-2
https://ubuntu.com/security/notices/USN-8229-1
CVE-2026-5958
[USN-8339-1] OpenJDK 25 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8339-1
May 28, 2026
openjdk-25 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in OpenJDK 25.
Software Description:
- openjdk-25: Open Source Java implementation
Details:
Thomas Beckers discovered that the JAXP component of OpenJDK 25 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the Networking component of OpenJDK 25 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-34282)
It was discovered that the JSSE component of OpenJDK 25 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of OpenJDK 25 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2026-22013)
It was discovered that the 2D component of OpenJDK 25 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to obtain sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of OpenJDK 25 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to modify data. (CVE-2026-22008)
It was discovered that the Libraries component of OpenJDK 25 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-22018)
Ken Pyle discovered that the Security component of OpenJDK 25 did not
correctly authenticate certain APIs. A local attacker could possibly use
this issue to obtain sensitive information. (CVE-2026-22007,
CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-25-jdk 25.0.3+9-2~26.04.2
openjdk-25-jdk-headless 25.0.3+9-2~26.04.2
openjdk-25-jre 25.0.3+9-2~26.04.2
openjdk-25-jre-headless 25.0.3+9-2~26.04.2
openjdk-25-jre-zero 25.0.3+9-2~26.04.2
Ubuntu 25.10
openjdk-25-jdk 25.0.3+9-2~25.10.2
openjdk-25-jdk-headless 25.0.3+9-2~25.10.2
openjdk-25-jre 25.0.3+9-2~25.10.2
openjdk-25-jre-headless 25.0.3+9-2~25.10.2
openjdk-25-jre-zero 25.0.3+9-2~25.10.2
Ubuntu 24.04 LTS
openjdk-25-jdk 25.0.3+9-2~24.04.2
openjdk-25-jdk-headless 25.0.3+9-2~24.04.2
openjdk-25-jre 25.0.3+9-2~24.04.2
openjdk-25-jre-headless 25.0.3+9-2~24.04.2
openjdk-25-jre-zero 25.0.3+9-2~24.04.2
Ubuntu 22.04 LTS
openjdk-25-jdk 25.0.3+9-2~22.04.2
openjdk-25-jdk-headless 25.0.3+9-2~22.04.2
openjdk-25-jre 25.0.3+9-2~22.04.2
openjdk-25-jre-headless 25.0.3+9-2~22.04.2
openjdk-25-jre-zero 25.0.3+9-2~22.04.2
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8339-1
CVE-2026-22007, CVE-2026-22008, CVE-2026-22013, CVE-2026-22016,
CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268,
CVE-2026-34282
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.3+9-2~26.04.2
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.3+9-2~25.10.2
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.3+9-2~24.04.2
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.3+9-2~22.04.2
[USN-8344-1] pip vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8344-1
May 28, 2026
python-pip vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in pip.
Software Description:
- python-pip: Python package installer
Details:
It was discovered that pip incorrectly handled TLS certificate
verification in session connections. If a session was first used with
certificate verification disabled, subsequent requests to the same host
would also skip verification regardless of the session's current settings.
A remote attacker could possibly use this issue to perform a machine-in-the-middle
attack and expose sensitive information. (CVE-2024-35195)
It was discovered that pip's bundled urllib3 library did not limit the
number of decompression steps when processing HTTP responses. A remote
attacker could possibly use this issue to cause pip to consume excessive resources,
leading to a denial of service. (CVE-2025-66418)
It was discovered that pip's bundled urllib3 library improperly
handled streaming decompression of highly compressed data. A remote
attacker could possibly use this issue to cause pip to consume excessive resources,
leading to a denial of service. (CVE-2025-66471)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
python3-pip 25.1.1+dfsg-1ubuntu2+esm1
Available with Ubuntu Pro
python3-pip-whl 25.1.1+dfsg-1ubuntu2+esm1
Available with Ubuntu Pro
Ubuntu 24.04 LTS
python3-pip 24.0+dfsg-1ubuntu1.3+esm1
Available with Ubuntu Pro
python3-pip-whl 24.0+dfsg-1ubuntu1.3+esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
python3-pip 22.0.2+dfsg-1ubuntu0.7+esm1
Available with Ubuntu Pro
python3-pip-whl 22.0.2+dfsg-1ubuntu0.7+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8344-1
CVE-2024-35195, CVE-2025-66418, CVE-2025-66471
[USN-8340-1] LibreOffice vulnerability
==========================================================================
Ubuntu Security Notice USN-8340-1
May 28, 2026
libreoffice vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
LibreOffice could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- libreoffice: Office productivity suite
Details:
Duc Anh Nguyen discovered that LibreOffice incorrectly handled mismatched
encryption salt parameters in crafted OOXML documents. An attacker could
use this issue to cause LibreOffice to crash, resulting in a denial of
service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libreoffice 4:24.2.7-0ubuntu0.24.04.5
Ubuntu 22.04 LTS
libreoffice 1:7.3.7-0ubuntu0.22.04.11
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8340-1
CVE-2026-4430
Package Information:
https://launchpad.net/ubuntu/+source/libreoffice/4:24.2.7-0ubuntu0.24.04.5
https://launchpad.net/ubuntu/+source/libreoffice/1:7.3.7-0ubuntu0.22.04.11
[USN-8343-1] multipart vulnerability
==========================================================================
Ubuntu Security Notice USN-8343-1
May 28, 2026
multipart vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
Summary:
multipart could be made to use excessive resources if it received
specially crafted input.
Software Description:
- multipart: library for handling multipart/form-data POST requests
Details:
It was discovered that multipart had an ambiguous regular expression
alternation when handling certain HTTP header values. A remote attacker
could possibly use this issue to cause multipart to use excessive
resources, leading to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
python3-multipart 1.3.0-3ubuntu0.1
Ubuntu 25.10
python3-multipart 1.2.1-2+deb13u1build0.25.10.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8343-1
CVE-2026-28356
Package Information:
https://launchpad.net/ubuntu/+source/multipart/1.3.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/multipart/1.2.1-2+deb13u1build0.25.10.1
[USN-8338-1] Apache HTTP Server vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8338-1
May 28, 2026
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
It was discovered that Apache HTTP Server incorrectly handled certain
response headers. An attacker could possibly use this issue to perform
HTTP response splitting attacks. This issue only affected Ubuntu 14.04
LTS. (CVE-2023-38709)
Will Dormann and David Warren discovered that Apache HTTP Server's HTTP/2
implementation did not properly reclaim memory when streams were reset by
clients. A remote attacker could possibly use this issue to cause Apache
HTTP Server to consume resources, leading to a denial of service. This
issue only affected Ubuntu 18.04 LTS. (CVE-2023-45802)
Keran Mu and Jianjun Chen discovered that Apache HTTP Server incorrectly
handled certain response headers. An attacker could possibly use this issue
to perform HTTP response splitting attacks. This issue only affected Ubuntu
14.04 LTS. (CVE-2024-24795)
Orange Tsai discovered that Apache HTTP Server mod_proxy incorrectly
handled URL encoding. A remote attacker could possibly use this issue to
bypass authentication via crafted requests. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-38473)
Orange Tsai discovered that Apache HTTP Server could be caused to perform
server-side request forgery (SSRF) via malicious backend response headers.
A remote attacker could possibly use this issue to conduct SSRF attacks or
disclose sensitive information. This issue only affected Ubuntu 14.04 LTS.
(CVE-2024-38476)
Orange Tsai discovered that Apache HTTP Server mod_proxy did not properly
handle certain null pointer conditions. A remote attacker could possibly use this
issue to cause Apache HTTP Server to crash, resulting in a denial of
service. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-38477)
Orange Tsai discovered that Apache HTTP Server mod_rewrite could be made
to perform server-side request forgery (SSRF) via unsafe RewriteRules. A
remote attacker could possibly use this issue to conduct SSRF attacks. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39573)
It was discovered that Apache HTTP Server incorrectly handled certain
response headers. An attacker could possibly use this issue to perform
HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS.
(CVE-2024-42516)
It was discovered that Apache HTTP Server could be caused to perform
server-side request forgery (SSRF) via mod_headers modifying Content-Type
headers. A remote attacker could possibly use this issue to conduct SSRF
attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-43204)
John Runyon discovered that Apache HTTP Server mod_ssl did not properly
escape user-supplied data before writing log entries. A remote attacker
could possibly use this issue to insert escape sequences into log files.
This issue only affected Ubuntu 14.04 LTS. (CVE-2024-47252)
Robert Merget discovered that Apache HTTP Server with SSLEngine optional was
vulnerable to HTTP desynchronisation attacks. An attacker in a privileged
network position could possibly use this issue to hijack HTTP sessions. This issue
only affected Ubuntu 14.04 LTS. (CVE-2025-49812)
It was discovered that Apache HTTP Server mod_md had an integer overflow in
the ACME certificate renewal backoff timer. An attacker could possibly use
this issue to cause excessive certificate renewal requests. This issue only
affected Ubuntu 20.04 LTS. (CVE-2025-55753)
Anthony Parfenov discovered that Apache HTTP Server with SSI enabled and
mod_cgid passed shell-escaped query strings to #exec cmd directives. A
remote attacker could possibly use this issue to perform command injection.
(CVE-2025-58098)
Mattias Åsander discovered that Apache HTTP Server incorrectly gave
precedence to environment variables from HTTP headers over server-calculated
CGI variables. A remote attacker could possibly use this issue to influence
the environment of CGI programs. (CVE-2025-65082)
Mattias Åsander discovered that Apache HTTP Server mod_userdir with suexec
could be caused to run CGI scripts under an unexpected user ID via
RequestHeader directives in .htaccess files. An attacker with .htaccess
write access could possibly use this issue to bypass suexec user restrictions.
(CVE-2025-66200)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
apache2 2.4.41-4ubuntu3.23+esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
apache2 2.4.29-1ubuntu4.27+esm7
Available with Ubuntu Pro
Ubuntu 16.04 LTS
apache2 2.4.18-2ubuntu3.17+esm17
Available with Ubuntu Pro
Ubuntu 14.04 LTS
apache2 2.4.7-1ubuntu4.22+esm12
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8338-1
CVE-2023-38709, CVE-2023-45802, CVE-2024-24795, CVE-2024-38473,
CVE-2024-38476, CVE-2024-38477, CVE-2024-39573, CVE-2024-42516,
CVE-2024-43204, CVE-2024-47252, CVE-2025-49812, CVE-2025-55753,
CVE-2025-58098, CVE-2025-65082, CVE-2025-66200
[USN-8328-1] OpenJDK 21 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8328-1
May 28, 2026
openjdk-21 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in OpenJDK 21.
Software Description:
- openjdk-21: Open Source Java implementation
Details:
Thomas Beckers discovered that the JAXP component of OpenJDK 21 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the Networking component of OpenJDK 21 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-34282)
It was discovered that the JSSE component of OpenJDK 21 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of OpenJDK 21 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2026-22013)
It was discovered that the 2D component of OpenJDK 21 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to leak sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of OpenJDK 21 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-22018)
Ken Pyle discovered that the Security component of OpenJDK 21 did not
correctly authenticate certain APIs. A local attacker could possibly use
this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-21-jdk 21.0.11+10-1~26.04.2
openjdk-21-jdk-headless 21.0.11+10-1~26.04.2
openjdk-21-jre 21.0.11+10-1~26.04.2
openjdk-21-jre-headless 21.0.11+10-1~26.04.2
openjdk-21-jre-zero 21.0.11+10-1~26.04.2
Ubuntu 25.10
openjdk-21-jdk 21.0.11+10-1~25.10.2
openjdk-21-jdk-headless 21.0.11+10-1~25.10.2
openjdk-21-jre 21.0.11+10-1~25.10.2
openjdk-21-jre-headless 21.0.11+10-1~25.10.2
openjdk-21-jre-zero 21.0.11+10-1~25.10.2
Ubuntu 24.04 LTS
openjdk-21-jdk 21.0.11+10-1~24.04.2
openjdk-21-jdk-headless 21.0.11+10-1~24.04.2
openjdk-21-jre 21.0.11+10-1~24.04.2
openjdk-21-jre-headless 21.0.11+10-1~24.04.2
openjdk-21-jre-zero 21.0.11+10-1~24.04.2
Ubuntu 22.04 LTS
openjdk-21-jdk 21.0.11+10-1~22.04.2
openjdk-21-jdk-headless 21.0.11+10-1~22.04.2
openjdk-21-jre 21.0.11+10-1~22.04.2
openjdk-21-jre-headless 21.0.11+10-1~22.04.2
openjdk-21-jre-zero 21.0.11+10-1~22.04.2
Ubuntu 20.04 LTS
openjdk-21-jdk 21.0.11+10-1~20.04.2
Available with Ubuntu Pro
openjdk-21-jdk-headless 21.0.11+10-1~20.04.2
Available with Ubuntu Pro
openjdk-21-jre 21.0.11+10-1~20.04.2
Available with Ubuntu Pro
openjdk-21-jre-headless 21.0.11+10-1~20.04.2
Available with Ubuntu Pro
openjdk-21-jre-zero 21.0.11+10-1~20.04.2
Available with Ubuntu Pro
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8328-1
CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018,
CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.11+10-1~26.04.2
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.11+10-1~25.10.2
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.11+10-1~24.04.2
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.11+10-1~22.04.2
[USN-8327-1] OpenJDK 17 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8327-1
May 28, 2026
openjdk-17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in OpenJDK 17.
Software Description:
- openjdk-17: Open Source Java implementation
Details:
Thomas Beckers discovered that the JAXP component of OpenJDK 17 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the Networking component of OpenJDK 17 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-34282)
It was discovered that the JSSE component of OpenJDK 17 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of OpenJDK 17 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2026-22013)
It was discovered that the 2D component of OpenJDK 17 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to leak sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of OpenJDK 17 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-22018)
Ken Pyle discovered that the Security component of OpenJDK 17 did not
correctly authenticate certain APIs. A local attacker could possibly use
this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-17-jdk 17.0.19+10-1~26.04.2
openjdk-17-jdk-headless 17.0.19+10-1~26.04.2
openjdk-17-jre 17.0.19+10-1~26.04.2
openjdk-17-jre-headless 17.0.19+10-1~26.04.2
openjdk-17-jre-zero 17.0.19+10-1~26.04.2
Ubuntu 25.10
openjdk-17-jdk 17.0.19+10-1~25.10.2
openjdk-17-jdk-headless 17.0.19+10-1~25.10.2
openjdk-17-jre 17.0.19+10-1~25.10.2
openjdk-17-jre-headless 17.0.19+10-1~25.10.2
openjdk-17-jre-zero 17.0.19+10-1~25.10.2
Ubuntu 24.04 LTS
openjdk-17-jdk 17.0.19+10-1~24.04.2
openjdk-17-jdk-headless 17.0.19+10-1~24.04.2
openjdk-17-jre 17.0.19+10-1~24.04.2
openjdk-17-jre-headless 17.0.19+10-1~24.04.2
openjdk-17-jre-zero 17.0.19+10-1~24.04.2
Ubuntu 22.04 LTS
openjdk-17-jdk 17.0.19+10-1~22.04.2
openjdk-17-jdk-headless 17.0.19+10-1~22.04.2
openjdk-17-jre 17.0.19+10-1~22.04.2
openjdk-17-jre-headless 17.0.19+10-1~22.04.2
openjdk-17-jre-zero 17.0.19+10-1~22.04.2
Ubuntu 20.04 LTS
openjdk-17-jdk 17.0.19+10-1~20.04.2
Available with Ubuntu Pro
openjdk-17-jdk-headless 17.0.19+10-1~20.04.2
Available with Ubuntu Pro
openjdk-17-jre 17.0.19+10-1~20.04.2
Available with Ubuntu Pro
openjdk-17-jre-headless 17.0.19+10-1~20.04.2
Available with Ubuntu Pro
openjdk-17-jre-zero 17.0.19+10-1~20.04.2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
openjdk-17-jdk 17.0.19+10-1~18.04.2
Available with Ubuntu Pro
openjdk-17-jdk-headless 17.0.19+10-1~18.04.2
Available with Ubuntu Pro
openjdk-17-jre 17.0.19+10-1~18.04.2
Available with Ubuntu Pro
openjdk-17-jre-headless 17.0.19+10-1~18.04.2
Available with Ubuntu Pro
openjdk-17-jre-zero 17.0.19+10-1~18.04.2
Available with Ubuntu Pro
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8327-1
CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018,
CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.19+10-1~26.04.2
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.19+10-1~25.10.2
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.19+10-1~24.04.2
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.19+10-1~22.04.2
[USN-8333-1] CRaC JDK 21 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8333-1
May 28, 2026
openjdk-21-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
Summary:
Several security issues were fixed in CRaC JDK 21.
Software Description:
- openjdk-21-crac: Open Source Java implementation with Coordinated Restore at Checkpoints
Details:
Thomas Beckers discovered that the JAXP component of CRaC JDK 21 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the Networking component of CRaC JDK 21 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-34282)
It was discovered that the JSSE component of CRaC JDK 21 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of CRaC JDK 21 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information.(CVE-2026-22013)
It was discovered that the 2D component of CRaC JDK 21 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to leak sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of CRaC JDK 21 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-22018)
Ken Pyle discovered that the Security component of CRaC JDK 21 did not
correctly authenticate certain APIs. A local attacker could possibly use
this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-21-crac-jdk 21.0.11+10-0ubuntu1~26.04.1
openjdk-21-crac-jdk-headless 21.0.11+10-0ubuntu1~26.04.1
openjdk-21-crac-jre 21.0.11+10-0ubuntu1~26.04.1
openjdk-21-crac-jre-headless 21.0.11+10-0ubuntu1~26.04.1
openjdk-21-crac-jre-zero 21.0.11+10-0ubuntu1~26.04.1
Ubuntu 25.10
openjdk-21-crac-jdk 21.0.11+10-0ubuntu1~25.10.1
openjdk-21-crac-jdk-headless 21.0.11+10-0ubuntu1~25.10.1
openjdk-21-crac-jre 21.0.11+10-0ubuntu1~25.10.1
openjdk-21-crac-jre-headless 21.0.11+10-0ubuntu1~25.10.1
openjdk-21-crac-jre-zero 21.0.11+10-0ubuntu1~25.10.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8333-1
CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018,
CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-21-crac/21.0.11+10-0ubuntu1~26.04.1
https://launchpad.net/ubuntu/+source/openjdk-21-crac/21.0.11+10-0ubuntu1~25.10.1
[USN-8334-1] CRaC JDK 25 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8334-1
May 28, 2026
openjdk-25-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
Summary:
Several security issues were fixed in CRaC JDK 25.
Software Description:
- openjdk-25-crac: Open Source Java implementation with Coordinated Restore at Checkpoints
Details:
Thomas Beckers discovered that the JAXP component of CRaC JDK 25 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the Networking component of CRaC JDK 25 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-34282)
It was discovered that the JSSE component of CRaC JDK 25 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of CRaC JDK 25 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2026-22013)
It was discovered that the 2D component of CRaC JDK 25 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to leak sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of CRaC JDK 25 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service or gain
unauthorized modification of data privileges. (CVE-2026-22008,
CVE-2026-22018)
Ken Pyle discovered that the Security component of CRaC JDK 25 did not
correctly authenticate certain APIs. A local attacker could possibly use
this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-25-crac-jdk 25.0.3+9-0ubuntu1~26.04.1
openjdk-25-crac-jdk-headless 25.0.3+9-0ubuntu1~26.04.1
openjdk-25-crac-jre 25.0.3+9-0ubuntu1~26.04.1
openjdk-25-crac-jre-headless 25.0.3+9-0ubuntu1~26.04.1
openjdk-25-crac-jre-zero 25.0.3+9-0ubuntu1~26.04.1
Ubuntu 25.10
openjdk-25-crac-jdk 25.0.3+9-0ubuntu1~25.10.1
openjdk-25-crac-jdk-headless 25.0.3+9-0ubuntu1~25.10.1
openjdk-25-crac-jre 25.0.3+9-0ubuntu1~25.10.1
openjdk-25-crac-jre-headless 25.0.3+9-0ubuntu1~25.10.1
openjdk-25-crac-jre-zero 25.0.3+9-0ubuntu1~25.10.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8334-1
CVE-2026-22007, CVE-2026-22008, CVE-2026-22013, CVE-2026-22016,
CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268,
CVE-2026-34282
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-25-crac/25.0.3+9-0ubuntu1~26.04.1
https://launchpad.net/ubuntu/+source/openjdk-25-crac/25.0.3+9-0ubuntu1~25.10.1
[USN-8332-1] CRaC JDK 17 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8332-1
May 28, 2026
openjdk-17-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
Summary:
Several security issues were fixed in CRaC JDK 17.
Software Description:
- openjdk-17-crac: Open Source Java implementation with Coordinated Restore at Checkpoints
Details:
Thomas Beckers discovered that the JAXP component of CRaC JDK 17 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the Networking component of CRaC JDK 17 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-34282)
It was discovered that the JSSE component of CRaC JDK 17 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of CRaC JDK 17 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2026-22013)
It was discovered that the 2D component of CRaC JDK 17 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to leak sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of CRaC JDK 17 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-22018)
Ken Pyle discovered that the Security component of CRaC JDK 17 did not
correctly authenticate certain APIs. A local attacker could possibly use
this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-17-crac-jdk 17.0.19+10-0ubuntu1~26.04.1
openjdk-17-crac-jdk-headless 17.0.19+10-0ubuntu1~26.04.1
openjdk-17-crac-jre 17.0.19+10-0ubuntu1~26.04.1
openjdk-17-crac-jre-headless 17.0.19+10-0ubuntu1~26.04.1
openjdk-17-crac-jre-zero 17.0.19+10-0ubuntu1~26.04.1
Ubuntu 25.10
openjdk-17-crac-jdk 17.0.19+10-0ubuntu1~25.10.1
openjdk-17-crac-jdk-headless 17.0.19+10-0ubuntu1~25.10.1
openjdk-17-crac-jre 17.0.19+10-0ubuntu1~25.10.1
openjdk-17-crac-jre-headless 17.0.19+10-0ubuntu1~25.10.1
openjdk-17-crac-jre-zero 17.0.19+10-0ubuntu1~25.10.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8332-1
CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018,
CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17-crac/17.0.19+10-0ubuntu1~26.04.1
https://launchpad.net/ubuntu/+source/openjdk-17-crac/17.0.19+10-0ubuntu1~25.10.1
[USN-8330-1] OpenJDK 8 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8330-1
May 28, 2026
openjdk-8 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenJDK 8.
Software Description:
- openjdk-8: Open Source Java implementation
Details:
Thomas Beckers discovered that the JAXP component of OpenJDK 8 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the JSSE component of OpenJDK 8 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of OpenJDK 8 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2026-22013)
It was discovered that the 2D component of OpenJDK 8 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to leak sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of OpenJDK 8 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-22018)
Ken Pyle discovered that the Security component of OpenJDK 8 did not
correctly authenticate certain APIs. A local attacker could possibly use
this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-8-jdk 8u492-ga~us2-0ubuntu1~26.04.1
openjdk-8-jdk-headless 8u492-ga~us2-0ubuntu1~26.04.1
openjdk-8-jre 8u492-ga~us2-0ubuntu1~26.04.1
openjdk-8-jre-headless 8u492-ga~us2-0ubuntu1~26.04.1
openjdk-8-jre-zero 8u492-ga~us2-0ubuntu1~26.04.1
Ubuntu 25.10
openjdk-8-jdk 8u492-ga~us2-0ubuntu1~25.10.1
openjdk-8-jdk-headless 8u492-ga~us2-0ubuntu1~25.10.1
openjdk-8-jre 8u492-ga~us2-0ubuntu1~25.10.1
openjdk-8-jre-headless 8u492-ga~us2-0ubuntu1~25.10.1
openjdk-8-jre-zero 8u492-ga~us2-0ubuntu1~25.10.1
Ubuntu 24.04 LTS
openjdk-8-jdk 8u492-ga~us2-0ubuntu1~24.04.1
openjdk-8-jdk-headless 8u492-ga~us2-0ubuntu1~24.04.1
openjdk-8-jre 8u492-ga~us2-0ubuntu1~24.04.1
openjdk-8-jre-headless 8u492-ga~us2-0ubuntu1~24.04.1
openjdk-8-jre-zero 8u492-ga~us2-0ubuntu1~24.04.1
Ubuntu 22.04 LTS
openjdk-8-jdk 8u492-ga~us2-0ubuntu1~22.04.1
openjdk-8-jdk-headless 8u492-ga~us2-0ubuntu1~22.04.1
openjdk-8-jre 8u492-ga~us2-0ubuntu1~22.04.1
openjdk-8-jre-headless 8u492-ga~us2-0ubuntu1~22.04.1
openjdk-8-jre-zero 8u492-ga~us2-0ubuntu1~22.04.1
Ubuntu 20.04 LTS
openjdk-8-jdk 8u492-ga~us2-0ubuntu1~20.04.1
Available with Ubuntu Pro
openjdk-8-jdk-headless 8u492-ga~us2-0ubuntu1~20.04.1
Available with Ubuntu Pro
openjdk-8-jre 8u492-ga~us2-0ubuntu1~20.04.1
Available with Ubuntu Pro
openjdk-8-jre-headless 8u492-ga~us2-0ubuntu1~20.04.1
Available with Ubuntu Pro
openjdk-8-jre-zero 8u492-ga~us2-0ubuntu1~20.04.1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
openjdk-8-jdk 8u492-ga~us2-0ubuntu1~18.04.1
Available with Ubuntu Pro
openjdk-8-jdk-headless 8u492-ga~us2-0ubuntu1~18.04.1
Available with Ubuntu Pro
openjdk-8-jre 8u492-ga~us2-0ubuntu1~18.04.1
Available with Ubuntu Pro
openjdk-8-jre-headless 8u492-ga~us2-0ubuntu1~18.04.1
Available with Ubuntu Pro
openjdk-8-jre-zero 8u492-ga~us2-0ubuntu1~18.04.1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
openjdk-8-jdk 8u492-ga~us2-0ubuntu1~16.04.1
Available with Ubuntu Pro
openjdk-8-jdk-headless 8u492-ga~us2-0ubuntu1~16.04.1
Available with Ubuntu Pro
openjdk-8-jre 8u492-ga~us2-0ubuntu1~16.04.1
Available with Ubuntu Pro
openjdk-8-jre-headless 8u492-ga~us2-0ubuntu1~16.04.1
Available with Ubuntu Pro
openjdk-8-jre-jamvm 8u492-ga~us2-0ubuntu1~16.04.1
Available with Ubuntu Pro
openjdk-8-jre-zero 8u492-ga~us2-0ubuntu1~16.04.1
Available with Ubuntu Pro
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8330-1
CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018,
CVE-2026-22021, CVE-2026-23865, CVE-2026-34268
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-8/8u492-ga~us2-0ubuntu1~26.04.1
https://launchpad.net/ubuntu/+source/openjdk-8/8u492-ga~us2-0ubuntu1~25.10.1
https://launchpad.net/ubuntu/+source/openjdk-8/8u492-ga~us2-0ubuntu1~24.04.1
https://launchpad.net/ubuntu/+source/openjdk-8/8u492-ga~us2-0ubuntu1~22.04.1
[USN-8331-1] OpenJDK 11 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8331-1
May 28, 2026
openjdk-lts vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in OpenJDK 11.
Software Description:
- openjdk-lts: Open Source Java implementation
Details:
Thomas Beckers discovered that the JAXP component of OpenJDK 11 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to gain unauthorized access to sensitive
information. (CVE-2026-22016)
It was discovered that the Networking component of OpenJDK 11 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-34282)
It was discovered that the JSSE component of OpenJDK 11 did not correctly
authenticate certain APIs. A remote unauthenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2026-22021)
It was discovered that the JGSS component of OpenJDK 11 did not correctly
authenticate certain APIs. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2026-22013)
It was discovered that the 2D component of OpenJDK 11 did not correctly
handle certain integer arithmetic. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to leak sensitive information. (CVE-2026-23865)
It was discovered that the Libraries component of OpenJDK 11 did not
correctly authenticate certain APIs. A remote unauthenticated attacker
could possibly use this issue to cause a denial of service.
(CVE-2026-22018)
Ken Pyle discovered that the Security component of OpenJDK 11 did not
correctly authenticate certain APIs. A local attacker could possibly use
this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-04-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openjdk-11-jdk 11.0.31+11-1ubuntu1~26.04.2
openjdk-11-jdk-headless 11.0.31+11-1ubuntu1~26.04.2
openjdk-11-jre 11.0.31+11-1ubuntu1~26.04.2
openjdk-11-jre-headless 11.0.31+11-1ubuntu1~26.04.2
openjdk-11-jre-zero 11.0.31+11-1ubuntu1~26.04.2
Ubuntu 25.10
openjdk-11-jdk 11.0.31+11-1ubuntu1~25.10.2
openjdk-11-jdk-headless 11.0.31+11-1ubuntu1~25.10.2
openjdk-11-jre 11.0.31+11-1ubuntu1~25.10.2
openjdk-11-jre-headless 11.0.31+11-1ubuntu1~25.10.2
openjdk-11-jre-zero 11.0.31+11-1ubuntu1~25.10.2
Ubuntu 24.04 LTS
openjdk-11-jdk 11.0.31+11-1ubuntu1~24.04.2
openjdk-11-jdk-headless 11.0.31+11-1ubuntu1~24.04.2
openjdk-11-jre 11.0.31+11-1ubuntu1~24.04.2
openjdk-11-jre-headless 11.0.31+11-1ubuntu1~24.04.2
openjdk-11-jre-zero 11.0.31+11-1ubuntu1~24.04.2
Ubuntu 22.04 LTS
openjdk-11-jdk 11.0.31+11-1ubuntu1~22.04.2
openjdk-11-jdk-headless 11.0.31+11-1ubuntu1~22.04.2
openjdk-11-jre 11.0.31+11-1ubuntu1~22.04.2
openjdk-11-jre-headless 11.0.31+11-1ubuntu1~22.04.2
openjdk-11-jre-zero 11.0.31+11-1ubuntu1~22.04.2
Ubuntu 20.04 LTS
openjdk-11-jdk 11.0.31+11-1ubuntu1~20.04.2
Available with Ubuntu Pro
openjdk-11-jdk-headless 11.0.31+11-1ubuntu1~20.04.2
Available with Ubuntu Pro
openjdk-11-jre 11.0.31+11-1ubuntu1~20.04.2
Available with Ubuntu Pro
openjdk-11-jre-headless 11.0.31+11-1ubuntu1~20.04.2
Available with Ubuntu Pro
openjdk-11-jre-zero 11.0.31+11-1ubuntu1~20.04.2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
openjdk-11-jdk 11.0.31+11-1ubuntu1~18.04.2
Available with Ubuntu Pro
openjdk-11-jdk-headless 11.0.31+11-1ubuntu1~18.04.2
Available with Ubuntu Pro
openjdk-11-jre 11.0.31+11-1ubuntu1~18.04.2
Available with Ubuntu Pro
openjdk-11-jre-headless 11.0.31+11-1ubuntu1~18.04.2
Available with Ubuntu Pro
openjdk-11-jre-zero 11.0.31+11-1ubuntu1~18.04.2
Available with Ubuntu Pro
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any running Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8331-1
CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018,
CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.31+11-1ubuntu1~26.04.2
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.31+11-1ubuntu1~25.10.2
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.31+11-1ubuntu1~24.04.2
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.31+11-1ubuntu1~22.04.2
[USN-8337-1] QtSvg vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8337-1
May 28, 2026
qtsvg-opensource-src vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in QtSvg.
Software Description:
- qtsvg-opensource-src: Qt 5 SVG module
Details:
It was discovered that QtSvg incorrectly handled certain SVG images. An
attacker could possibly use this issue to cause QtSvg to crash, resulting in
a denial of service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2018-19869)
It was discovered that QtSvg incorrectly handled certain SVG images. An
attacker could use this issue to cause QtSvg to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-3481,
CVE-2021-28025, CVE-2021-45930)
It was discovered that QtSvg incorrectly handled certain SVG images. An
attacker could use this issue to cause QtSvg to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2023-32573)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
libqt5svg5 5.15.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libqt5svg5 5.12.8-0ubuntu1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libqt5svg5 5.9.5-0ubuntu1.1+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libqt5svg5 5.5.1-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8337-1
CVE-2018-19869, CVE-2021-28025, CVE-2021-3481, CVE-2021-45930,
CVE-2023-32573
[USN-8336-1] PHP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8336-1
May 28, 2026
php8.1, php8.3, php8.4, php8.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php8.5: HTML-embedded scripting language interpreter
- php8.4: HTML-embedded scripting language interpreter
- php8.3: HTML-embedded scripting language interpreter
- php8.1: HTML-embedded scripting language interpreter
Details:
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly
handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2025-14179)
It was discovered that PHP incorrectly handled certain encoding names in
mbstring. An attacker could possibly use this issue to obtain sensitive
information or cause a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104)
It was discovered that PHP incorrectly handled object references while
parsing crafted SOAP requests. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-6722)
It was discovered that PHP incorrectly sanitized certain data in the
PHP-FPM status page. A remote attacker could possibly use this issue to
inject arbitrary JavaScript code. (CVE-2026-6735)
It was discovered that PHP had an encoding mismatch in mbstring. An
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service. (CVE-2026-7259)
It was discovered that PHP incorrectly handled SOAP session persistence
after errors. A remote attacker could possibly use this issue to obtain
sensitive information or cause PHP to crash, resulting in a denial of
service. (CVE-2026-7261)
It was discovered that PHP incorrectly handled missing values in SOAP
typemap decoding. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2026-7262)
It was discovered that PHP incorrectly handled XML canonicalization in
DOMNode::C14N(). An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 26.04 LTS.
(CVE-2026-7263)
It was discovered that PHP incorrectly handled very long input in
metaphone(). An attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2026-7568)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
php8.5 8.5.4-0ubuntu1.1
Ubuntu 25.10
php8.4 8.4.11-1ubuntu1.2
Ubuntu 24.04 LTS
php8.3 8.3.6-0ubuntu0.24.04.9
Ubuntu 22.04 LTS
php8.1 8.1.2-1ubuntu2.24
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8336-1
CVE-2025-14179, CVE-2026-6104, CVE-2026-6722, CVE-2026-6735,
CVE-2026-7259, CVE-2026-7261, CVE-2026-7262, CVE-2026-7263,
CVE-2026-7568
Package Information:
https://launchpad.net/ubuntu/+source/php8.5/8.5.4-0ubuntu1.1
https://launchpad.net/ubuntu/+source/php8.4/8.4.11-1ubuntu1.2
https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.9
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.24
[USN-8335-1] pyOpenSSL vulnerability
==========================================================================
Ubuntu Security Notice USN-8335-1
May 28, 2026
pyopenssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
pyOpenSSL could allow unintended access to network services.
Software Description:
- pyopenssl: Python wrapper around the OpenSSL library
Details:
It was discovered that pyOpenSSL incorrectly handled exceptions in the
tlsext_servername callback. This could result in connections being accepted
after an exception, contrary to expectations.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
python-openssl 19.0.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-openssl 19.0.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python-openssl 17.5.0-1ubuntu1+esm1
Available with Ubuntu Pro
python3-openssl 17.5.0-1ubuntu1+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-openssl 0.15.1-2ubuntu0.2+esm1
Available with Ubuntu Pro
python3-openssl 0.15.1-2ubuntu0.2+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8335-1
CVE-2026-27448
