Ubuntu administrators must apply critical updates for several security notices released that impact packages like Redis, Lua, and policykit. These flaws allow remote attackers to potentially execute arbitrary code or cause denial of service through specially crafted input data. Affected systems include a broad spectrum of releases starting at Ubuntu 14.04 LTS and continuing through the latest version 25.10 without exception. Users can fix this by running a standard update command to install the corrected packages right away.

[USN-8169-1] Redis, Lua vulnerabilities
[USN-8174-1] XML::Parser vulnerabilities
[USN-8173-1] polkit vulnerabilities
[USN-8138-2] tar-rs vulnerability
[USN-8168-2] Rust vulnerability

[USN-8169-1] Redis, Lua vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8169-1
April 13, 2026

redis, lua5.1, lua-cjson, lua-bitop vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Redis, lua5.1, lua-cjson, lua-bitop.

Software Description:
- redis: Persistent key-value database with network interface
- lua-bitop: fast bit manipulation library for the Lua language
- lua-cjson: JSON parser/encoder for Lua language
- lua5.1: Lua is an embeddable scripting language

Details:

It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue was only addressed in
lua5.1 on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2025-49844)

It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue was only addressed in
lua-bitop on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS and in redis on Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-31449)

Seiya Nakata and Yudai Fujiwara discovered that Redis incorrectly handled
certain specially crafted Lua scripts. An attacker could possibly use this
issue to cause heap corruption and execute arbitrary code. This issue was only
addressed in lua-cjson on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24834)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
redis 5:7.0.15-1ubuntu0.24.04.4
redis-sentinel 5:7.0.15-1ubuntu0.24.04.4
redis-server 5:7.0.15-1ubuntu0.24.04.4
redis-tools 5:7.0.15-1ubuntu0.24.04.4

Ubuntu 22.04 LTS
liblua5.1-0 5.1.5-8.1ubuntu0.22.04.1~esm1
Available with Ubuntu Pro
liblua5.1-0-dev 5.1.5-8.1ubuntu0.22.04.1~esm1
Available with Ubuntu Pro
liblua5.1-bitop-dev 1.0.2-5ubuntu0.22.04.1~esm2
Available with Ubuntu Pro
liblua5.1-bitop0 1.0.2-5ubuntu0.22.04.1~esm2
Available with Ubuntu Pro
lua-bitop 1.0.2-5ubuntu0.22.04.1~esm2
Available with Ubuntu Pro
lua-bitop-dev 1.0.2-5ubuntu0.22.04.1~esm2
Available with Ubuntu Pro
lua-cjson 2.1.0+dfsg-2.1ubuntu0.22.04.1~esm2
Available with Ubuntu Pro
lua-cjson-dev 2.1.0+dfsg-2.1ubuntu0.22.04.1~esm2
Available with Ubuntu Pro
lua5.1 5.1.5-8.1ubuntu0.22.04.1~esm1
Available with Ubuntu Pro

Ubuntu 20.04 LTS
liblua5.1-0 5.1.5-8.1ubuntu0.20.04.1~esm1
Available with Ubuntu Pro
liblua5.1-0-dev 5.1.5-8.1ubuntu0.20.04.1~esm1
Available with Ubuntu Pro
liblua5.1-bitop-dev 1.0.2-5ubuntu0.20.04.1~esm2
Available with Ubuntu Pro
liblua5.1-bitop0 1.0.2-5ubuntu0.20.04.1~esm2
Available with Ubuntu Pro
lua-bitop 1.0.2-5ubuntu0.20.04.1~esm2
Available with Ubuntu Pro
lua-bitop-dev 1.0.2-5ubuntu0.20.04.1~esm2
Available with Ubuntu Pro
lua-cjson 2.1.0+dfsg-2.1ubuntu0.20.04.1~esm2
Available with Ubuntu Pro
lua-cjson-dev 2.1.0+dfsg-2.1ubuntu0.20.04.1~esm2
Available with Ubuntu Pro
lua5.1 5.1.5-8.1ubuntu0.20.04.1~esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
redis 5:4.0.9-1ubuntu0.2+esm7
Available with Ubuntu Pro
redis-sentinel 5:4.0.9-1ubuntu0.2+esm7
Available with Ubuntu Pro
redis-server 5:4.0.9-1ubuntu0.2+esm7
Available with Ubuntu Pro
redis-tools 5:4.0.9-1ubuntu0.2+esm7
Available with Ubuntu Pro

Ubuntu 16.04 LTS
redis-sentinel 2:3.0.6-1ubuntu0.4+esm5
Available with Ubuntu Pro
redis-server 2:3.0.6-1ubuntu0.4+esm5
Available with Ubuntu Pro
redis-tools 2:3.0.6-1ubuntu0.4+esm5
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8169-1
CVE-2022-24834, CVE-2024-31449, CVE-2025-49844

Package Information:
https://launchpad.net/ubuntu/+source/redis/5:7.0.15-1ubuntu0.24.04.4

[USN-8174-1] XML::Parser vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8174-1
April 14, 2026

libxml-parser-perl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in XML::Parser.

Software Description:
- libxml-parser-perl: Perl module for parsing XML files

Details:

It was discovered that XML::Parser incorrectly handled certain multi-byte
UTF-8 characters. If a user or automated system were tricked into
processing specially crafted XML data, a remote attacker could use this
issue to cause XML::Parser to crash, resulting in a denial of service or to
possibly execute arbitrary code. (CVE-2006-10002)

It was discovered that XML::Parser incorrectly handled very deep element
nesting. If a user or automated system were tricked into processing
specially crafted XML data, a remote attacker could use this issue to cause
XML::Parser to crash, resulting in a denial of service or to possibly
execute arbitrary code (CVE-2006-10002)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
libxml-parser-perl 2.47-1ubuntu0.25.10.1

Ubuntu 24.04 LTS
libxml-parser-perl 2.47-1ubuntu0.24.04.1

Ubuntu 22.04 LTS
libxml-parser-perl 2.46-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8174-1
CVE-2006-10002, CVE-2006-10003

Package Information:
https://launchpad.net/ubuntu/+source/libxml-parser-perl/2.47-1ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/libxml-parser-perl/2.47-1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/libxml-parser-perl/2.46-3ubuntu0.1

[USN-8173-1] polkit vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8173-1
April 14, 2026

policykit-1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in polkit.

Software Description:
- policykit-1: framework for managing administrative policies and privileges

Details:

It was discovered that polkit incorrectly handled nested elements in XML
policy files. If an administrator were tricked into installing a malicious
policy file, a remote attacker could possibly use this issue to cause
polkit to crash, resulting in a denial of service. (CVE-2025-7519)

Pavel Kohout discovered that the polkit polkit-agent-helper-1 utility
incorrectly handled long input. A local attacker could possibly use this
issue to cause polkit to crash, resulting in a denial of service.
(CVE-2026-4897)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
polkitd 126-2ubuntu0.1

Ubuntu 24.04 LTS
policykit-1 124-2ubuntu1.24.04.3

Ubuntu 22.04 LTS
policykit-1 0.105-33ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8173-1
CVE-2025-7519, CVE-2026-4897

Package Information:
https://launchpad.net/ubuntu/+source/policykit-1/126-2ubuntu0.1
https://launchpad.net/ubuntu/+source/policykit-1/124-2ubuntu1.24.04.3
https://launchpad.net/ubuntu/+source/policykit-1/0.105-33ubuntu0.1

[USN-8138-2] tar-rs vulnerability

==========================================================================
Ubuntu Security Notice USN-8138-2
April 14, 2026

rust-tar vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

tar-rs could be made to modify permissions on arbitrary directories.

Software Description:
- rust-tar: A tar archive reading/writing library for Rust

Details:

USN-8138-1 fixed a vulnerability in tar-rs. This update provides the
corresponding update for Ubuntu 20.04 LTS.

Original advisory details:

It was discovered that tar-rs incorrectly handled symlinks when unpacking
a tar archive. If a user or automated system were tricked into processing
a specially crafted tar archive, a remote attacker could use this issue to
modify permissions of arbitrary directories outside the extraction root,
and possibly escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
librust-tar-dev 0.4.26-1ubuntu0.1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8138-2
https://ubuntu.com/security/notices/USN-8138-1
CVE-2026-33056

[USN-8168-2] Rust vulnerability

==========================================================================
Ubuntu Security Notice USN-8168-2
April 14, 2026

rustc, rustc-1.76, rustc-1.77, rustc-1.78, rustc-1.79, rustc-1.80
vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

rustc could be made to modify permissions on arbitrary directories.

Software Description:
- rustc: Rust systems programming language
- rustc-1.76: Rust systems programming language
- rustc-1.77: Rust systems programming language
- rustc-1.78: Rust systems programming language
- rustc-1.79: Rust systems programming language
- rustc-1.80: Rust systems programming language

Details:

USN-8168-1 fixed a vulnerability in Rust. This update provides the
corresponding update to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04
LTS and Ubuntu 20.04 LTS.

Original advisory details:

It was discovered that tar-rs embedded in rustc incorrectly handled
symlinks when unpacking a tar archive. If a user or automated system were
tricked into processing a specially crafted tar archive, a remote attacker
could use this issue to modify permissions of arbitrary directories
outside the extraction root, and possibly escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
rustc 1.75.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1
Available with Ubuntu Pro
rustc-1.76 1.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1
Available with Ubuntu Pro
rustc-1.77 1.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.1
Available with Ubuntu Pro
rustc-1.78 1.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.1
Available with Ubuntu Pro
rustc-1.79 1.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.3
Available with Ubuntu Pro
rustc-1.80 1.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
rustc 1.65.0+dfsg0ubuntu1~llvm2-0ubuntu0.18.04.1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
rustc 1.47.0+dfsg1+llvm-1ubuntu1~16.04.1ubuntu2
Available with Ubuntu Pro

Ubuntu 14.04 LTS
rustc 1.31.0+dfsg1+llvm-2ubuntu1~14.04.1ubuntu1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8168-2
https://ubuntu.com/security/notices/USN-8168-1
CVE-2026-33056