Ubuntu administrators need to install urgent security updates released this week to shield their infrastructure from multiple critical flaws across several popular software packages. The Tomcat patch alone addresses six separate vulnerabilities that could trigger memory exhaustion attacks or allow malicious actors to bypass authentication controls entirely. Smaller notices also fix an Exim logging error while patching command execution risks in HTTP Daemon and denial of service crashes within uriparser. Organizations running Ubuntu 20.04 LTS must prioritize the Samba upgrade since it closes dangerous gaps in file access controls and domain controller security that could otherwise lead to unauthorized modifications or arbitrary code execution across their networks.

[USN-8417-1] Tomcat vulnerabilities
[USN-6455-2] Exim regression
[USN-8419-1] HTTP-Daemon vulnerability
[USN-8409-1] uriparser vulnerability
[USN-8306-2] Samba vulnerabilities

[USN-8417-1] Tomcat vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8417-1
June 10, 2026

tomcat9, tomcat10 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:
- tomcat10: Servlet and JSP engine
- tomcat9: Servlet and JSP engine

Details:

It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)

It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)

It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could use this issue to obtain
sensitive credentials. (CVE-2026-42498)

It was discovered that Tomcat incorrectly handled digest
authentication. A remote attacker could possibly use this issue to
bypass authentication restrictions. (CVE-2026-43512)

It was discovered that Tomcat incorrectly handled case sensitivity
in LockOutRealm. A remote attacker could possibly use this issue to
bypass account lockout protections and obtain sensitive information.
(CVE-2026-43513)

It was discovered that Tomcat incorrectly handled authorization
when multiple method constraints defined the same HTTP method. A
remote attacker could possibly use this issue to bypass
authorization restrictions. (CVE-2026-43515)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
libtomcat10-embed-java 10.1.40-1ubuntu1.26.04.1
libtomcat10-java 10.1.40-1ubuntu1.26.04.1
libtomcat9-java 9.0.115-1ubuntu0.1
tomcat10 10.1.40-1ubuntu1.26.04.1

Ubuntu 25.10
libtomcat10-embed-java 10.1.40-1ubuntu1.25.10.1
libtomcat10-java 10.1.40-1ubuntu1.25.10.1
libtomcat9-java 9.0.95-1ubuntu1.1
tomcat10 10.1.40-1ubuntu1.25.10.1

Ubuntu 24.04 LTS
libtomcat10-embed-java 10.1.16-1ubuntu0.1~esm4
Available with Ubuntu Pro
libtomcat10-java 10.1.16-1ubuntu0.1~esm4
Available with Ubuntu Pro
libtomcat9-java 9.0.70-2ubuntu0.1+esm3
Available with Ubuntu Pro
tomcat10 10.1.16-1ubuntu0.1~esm4
Available with Ubuntu Pro

Ubuntu 22.04 LTS
libtomcat9-embed-java 9.0.58-1ubuntu0.2+esm4
Available with Ubuntu Pro
libtomcat9-java 9.0.58-1ubuntu0.2+esm4
Available with Ubuntu Pro
tomcat9 9.0.58-1ubuntu0.2+esm4
Available with Ubuntu Pro

Ubuntu 20.04 LTS
libtomcat9-embed-java 9.0.31-1ubuntu0.9+esm3
Available with Ubuntu Pro
libtomcat9-java 9.0.31-1ubuntu0.9+esm3
Available with Ubuntu Pro
tomcat9 9.0.31-1ubuntu0.9+esm3
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libtomcat9-embed-java 9.0.16-3ubuntu0.18.04.2+esm8
Available with Ubuntu Pro
libtomcat9-java 9.0.16-3ubuntu0.18.04.2+esm8
Available with Ubuntu Pro
tomcat9 9.0.16-3ubuntu0.18.04.2+esm8
Available with Ubuntu Pro

After a standard system update you need to restart Tomcat to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8417-1
CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CVE-2026-43512,
CVE-2026-43513, CVE-2026-43515

Package Information:
https://launchpad.net/ubuntu/+source/tomcat10/10.1.40-1ubuntu1.26.04.1
https://launchpad.net/ubuntu/+source/tomcat9/9.0.115-1ubuntu0.1
https://launchpad.net/ubuntu/+source/tomcat10/10.1.40-1ubuntu1.25.10.1
https://launchpad.net/ubuntu/+source/tomcat9/9.0.95-1ubuntu1.1

[USN-6455-2] Exim regression

==========================================================================
Ubuntu Security Notice USN-6455-2
June 10, 2026

exim4 regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

USN-6455-1 introduced a regression in Exim

Software Description:
- exim4: Exim is a mail transport agent

Details:

USN-6455-1 fixed vulnerabilities in Exim. The fix for CVE-2023-42117
introduced a regression on Ubuntu 22.04 LTS that resulted in certain
connections logging a Taint mismatch error. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Exim incorrectly handled validation of user-supplied
data, which could lead to memory corruption. A remote attacker could
possibly use this issue to execute arbitrary code. (CVE-2023-42117)

It was discovered that Exim incorrectly handled validation of user-supplied
data, which could lead to an out-of-bounds read. An attacker could possibly
use this issue to expose sensitive information. (CVE-2023-42119)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
exim4 4.95-4ubuntu2.10
exim4-daemon-heavy 4.95-4ubuntu2.10
exim4-daemon-light 4.95-4ubuntu2.10

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6455-2
https://ubuntu.com/security/notices/USN-6455-1
https://launchpad.net/bugs/2152830

Package Information:
https://launchpad.net/ubuntu/+source/exim4/4.95-4ubuntu2.10

[USN-8419-1] HTTP-Daemon vulnerability

==========================================================================
Ubuntu Security Notice USN-8419-1
June 10, 2026

libhttp-daemon-perl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

HTTP-Daemon could be made to run programs if it received specially crafted
network traffic.

Software Description:
- libhttp-daemon-perl: simple http server class

Details:

It was discovered that HTTP-Daemon incorrectly handled untrusted input
under certain circumstances. A remote attacker could possibly use this
issue to execute arbitrary commands, create or overwrite arbitrary files,
or expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
libhttp-daemon-perl 6.16-1ubuntu0.26.04.1

Ubuntu 25.10
libhttp-daemon-perl 6.16-1ubuntu0.25.10.1

Ubuntu 24.04 LTS
libhttp-daemon-perl 6.16-1ubuntu0.24.04.1

Ubuntu 22.04 LTS
libhttp-daemon-perl 6.13-1ubuntu0.2

Ubuntu 20.04 LTS
libhttp-daemon-perl 6.06-1ubuntu0.1+esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libhttp-daemon-perl 6.01-1ubuntu0.1+esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libhttp-daemon-perl 6.01-1ubuntu0.16.04~esm2
Available with Ubuntu Pro

Ubuntu 14.04 LTS
libhttp-daemon-perl 6.01-1ubuntu0.14.04~esm2
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8419-1
CVE-2026-8450

Package Information:
https://launchpad.net/ubuntu/+source/libhttp-daemon-perl/6.16-1ubuntu0.26.04.1
https://launchpad.net/ubuntu/+source/libhttp-daemon-perl/6.16-1ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/libhttp-daemon-perl/6.16-1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/libhttp-daemon-perl/6.13-1ubuntu0.2

[USN-8409-1] uriparser vulnerability

==========================================================================
Ubuntu Security Notice USN-8409-1
June 09, 2026

uriparser vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

uriparser could be made to crash if it received specially crafted
input.

Software Description:
- uriparser: Strictly RFC 3986 compliant URI parsing library

Details:

It was discovered that uriparser incorrectly handled certain URI strings.
An attacker could possibly use this issue to cause uriparser to crash,
resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
liburiparser1 0.9.7+dfsg-2ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 22.04 LTS
liburiparser1 0.9.6+dfsg-1ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 20.04 LTS
liburiparser1 0.9.3-2ubuntu0.1~esm4
Available with Ubuntu Pro

Ubuntu 18.04 LTS
liburiparser1 0.8.4-1+deb9u2ubuntu0.1+esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
liburiparser1 0.8.4-1ubuntu0.16.04.1~esm5
Available with Ubuntu Pro

Ubuntu 14.04 LTS
liburiparser1 0.7.5-1ubuntu2+esm5
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8409-1
CVE-2025-67899

[USN-8306-2] Samba vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8306-2
June 10, 2026

samba vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Samba.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

USN-8306-1 fixed vulnerabilities in Samba. This update provides the
corresponding updates for CVE-2026-3238, CVE-2026-4408, and
CVE-2026-4480 in Ubuntu 20.04 LTS.

Original advisory details:

Asim Viladi Oglu Manizada discovered that Samba incorrectly handled access
checks on reparse point operations. An attacker could possibly use this
issue to modify reparse point extended attributes on files that should
have been read-only. This issue only affected Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-1933)

Pavel Kohout discovered that Samba's vfs_worm module did not properly
block file overwrites. An attacker could possibly use this issue to
overwrite files that should have remained immutable. (CVE-2026-2340)

Arad Inbar, Nir Somech, and Ben Grinberg discovered that Samba incorrectly
handled certificate auto-enrolment group policies over HTTP without
verification. A machine-in-the-middle attacker could possibly use this
issue to install a malicious CA certificate. This issue only affected
Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-3012)

Arad Inbar, Erez Cohen, Nir Somech, and Ben Grinberg discovered that
Samba's Active Directory Domain Controller WINS server could be made to
crash under certain circumstances. A remote attacker could possibly use
this issue to cause a denial of service. (CVE-2026-3238)

Ron Ben Yizhak discovered that Samba's DCE/RPC SAMR server incorrectly
handled a non-default password check script configuration. A remote
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-4408)

Ron Ben Yizhak discovered that Samba's printing subsystem incorrectly
handled a non-default print command configuration. A remote attacker could
possibly use this issue to execute arbitrary code. (CVE-2026-4480)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
ctdb 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
libnss-winbind 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
libpam-winbind 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
libsmbclient 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
libsmbclient-dev 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
libwbclient-dev 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
libwbclient0 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
python3-samba 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
registry-tools 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
samba 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
samba-common 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
samba-common-bin 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
samba-dev 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
samba-dsdb-modules 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
samba-libs 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
samba-vfs-modules 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
smbclient 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro
winbind 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm2
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8306-2
https://ubuntu.com/security/notices/USN-8306-1
CVE-2026-3238, CVE-2026-4408, CVE-2026-4480