Ubuntu issued a series of security patches to fix critical flaws across several widely used software packages. The updates target WebKitGTK and Apache HTTP Server, which contain multiple vulnerabilities that could allow remote attackers to execute arbitrary code or crash the systems through malicious web content and network traffic. Additional fixes resolve issues in EditorConfig, Dynaconf, and nghttp2 that previously left these tools vulnerable to local crashes or unsafe template evaluation. System administrators should apply the recommended package updates immediately and restart any dependent applications to fully mitigate the risks across supported Ubuntu releases.

[USN-8237-1] WebKitGTK vulnerabilities
[USN-8238-1] EditorConfig vulnerability
[USN-8231-1] Dynaconf vulnerability
[USN-8239-1] Apache HTTP Server vulnerabilities
[USN-8233-2] nghttp2 vulnerability

[USN-8237-1] WebKitGTK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8237-1
May 06, 2026

webkit2gtk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in WebKitGTK.

Software Description:
- webkit2gtk: Web content engine library for GTK+

Details:

Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
libjavascriptcoregtk-4.1-0 2.52.3-0ubuntu0.26.04.2
libjavascriptcoregtk-6.0-1 2.52.3-0ubuntu0.26.04.2
libwebkit2gtk-4.1-0 2.52.3-0ubuntu0.26.04.2
libwebkitgtk-6.0-4 2.52.3-0ubuntu0.26.04.2

Ubuntu 25.10
libjavascriptcoregtk-4.1-0 2.52.3-0ubuntu0.25.10.1
libjavascriptcoregtk-6.0-1 2.52.3-0ubuntu0.25.10.1
libwebkit2gtk-4.1-0 2.52.3-0ubuntu0.25.10.1
libwebkitgtk-6.0-4 2.52.3-0ubuntu0.25.10.1

Ubuntu 24.04 LTS
libjavascriptcoregtk-4.1-0 2.52.3-0ubuntu0.24.04.1
libjavascriptcoregtk-6.0-1 2.52.3-0ubuntu0.24.04.1
libwebkit2gtk-4.1-0 2.52.3-0ubuntu0.24.04.1
libwebkitgtk-6.0-4 2.52.3-0ubuntu0.24.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8237-1
CVE-2025-43213, CVE-2025-43214, CVE-2025-43457, CVE-2025-43511,
CVE-2025-46299, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636,
CVE-2026-20643, CVE-2026-20644, CVE-2026-20652, CVE-2026-20664,
CVE-2026-20665, CVE-2026-20676, CVE-2026-20691, CVE-2026-28857,
CVE-2026-28859, CVE-2026-28861, CVE-2026-28871

Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.52.3-0ubuntu0.26.04.2
https://launchpad.net/ubuntu/+source/webkit2gtk/2.52.3-0ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.52.3-0ubuntu0.24.04.1

[USN-8238-1] EditorConfig vulnerability

==========================================================================
Ubuntu Security Notice USN-8238-1
May 06, 2026

editorconfig-core vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS

Summary:

EditorConfig could be made to crash if it opened a specially crafted file.

Software Description:
- editorconfig-core: coding style indenter across editors

Details:

It was discovered that EditorConfig incorrectly handled specially crafted
configuration files. A local attacker could possibly use this issue to
cause EditorConfig to crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
editorconfig 0.12.10+~0.17.1-3ubuntu0.1
libeditorconfig0 0.12.10+~0.17.1-3ubuntu0.1

Ubuntu 25.10
editorconfig 0.12.9+~0.17.1-1ubuntu2.1
libeditorconfig0 0.12.9+~0.17.1-1ubuntu2.1

Ubuntu 24.04 LTS
editorconfig 0.12.7-0.1ubuntu0.1
libeditorconfig0 0.12.7-0.1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8238-1
CVE-2026-40489

Package Information:
https://launchpad.net/ubuntu/+source/editorconfig-core/0.12.10+~0.17.1-3ubuntu0.1
https://launchpad.net/ubuntu/+source/editorconfig-core/0.12.9+~0.17.1-1ubuntu2.1
https://launchpad.net/ubuntu/+source/editorconfig-core/0.12.7-0.1ubuntu0.1

[USN-8231-1] Dynaconf vulnerability

==========================================================================
Ubuntu Security Notice USN-8231-1
May 06, 2026

python-dynaconf vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Dynaconf could be made to execute arbitrary code.

Software Description:
- python-dynaconf: Configuration Management for Python

Details:

It was discovered that Dynaconf was incorrectly handling template evaluation
in its string resolvers. A remote attacker could possibly use this issue
to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
python3-dynaconf 3.2.12-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 25.10
python3-dynaconf 3.1.7-2ubuntu0.25.10.1

Ubuntu 24.04 LTS
python3-dynaconf 3.1.7-2ubuntu0.24.04.1

Ubuntu 22.04 LTS
python3-dynaconf 3.1.7-1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8231-1
CVE-2026-33154

Package Information:
https://launchpad.net/ubuntu/+source/python-dynaconf/3.1.7-2ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/python-dynaconf/3.1.7-2ubuntu0.24.04.1

[USN-8239-1] Apache HTTP Server vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8239-1
May 06, 2026

apache2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

Bartlomiej Dmitruk and Stanislaw Strzalkowski discovered that Apache
HTTP Server incorrectly handled certain memory operations when using the
HTTP/2 protocol. A remote attacker could use this issue to cause Apache
HTTP Server to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 26.04 LTS.
(CVE-2026-23918)

It was discovered that the Apache HTTP Server mod_rewrite module
incorrectly handled certain privileges. A local attacker could possibly use
this issue to obtain sensitive information. (CVE-2026-24072)

Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani
discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly
handled certain AJP server messages. An attacker in control of a backend
AJP server could use this issue to cause Apache HTTP Server to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-28780)

Pavel Kohout discovered that Apache HTTP Server did not properly limit
resource allocation in mod_md when processing OCSP response data. A
remote attacker could possibly use this issue to cause a denial of
service. (CVE-2026-29168)

Pavel Kohout discovered that the Apache HTTP Server incorrectly handled
certain memory operations in mod_dav_lock. A remote attacker could possibly
use this issue to cause Apache HTTP Server to crash, resulting in a denial
of service. (CVE-2026-29169)

Nitescu Lucian discovered that Apache HTTP Server had a timing attack
vulnerability in mod_auth_digest. A remote attacker could possibly
use this issue to bypass Digest authentication. (CVE-2026-33006)

Pavel Kohout and Arkadi Vainbrand discovered that Apache HTTP Server
incorrectly handled certain memory operations in mod_authn_socache. A
remote attacker could possibly use this issue to cause Apache HTTP Server
to crash, resulting in a denial of service. (CVE-2026-33007)

Haruki Oyama, Merih Mengisteab, and Dawit Jeong discovered that
Apache HTTP Server had an HTTP response splitting vulnerability in
multiple modules when used with untrusted or compromised backend
servers. An attacker could possibly use this issue to inject arbitrary
HTTP headers. (CVE-2026-33523)

Elhanan Haenel discovered that Apache HTTP Server incorrectly handled
certain memory operations in mod_proxy_ajp. A remote attacker could
possibly use this issue to cause Apache HTTP Server to crash, resulting in
a denial of service. (CVE-2026-33857)

Tianshuo Han and Jérôme Djouder discovered that Apache HTTP Server
incorrectly handled certain string operations in mod_proxy_ajp. A remote
attacker could possibly use this issue to obtain sensitive information.
(CVE-2026-34032)

Elhanan Haenel discovered that Apache HTTP Server incorrectly handled
certain memory operations in mod_proxy_ajp. A remote attacker could use
this issue to cause Apache HTTP Server to crash, resulting in a denial of
service, or possibly obtain sensitive information. (CVE-2026-34059)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
apache2 2.4.66-2ubuntu2.1

Ubuntu 25.10
apache2 2.4.64-1ubuntu3.4

Ubuntu 24.04 LTS
apache2 2.4.58-1ubuntu8.12

Ubuntu 22.04 LTS
apache2 2.4.52-1ubuntu4.20

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8239-1
CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168,
CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523,
CVE-2026-33857, CVE-2026-34032, CVE-2026-34059

Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.66-2ubuntu2.1
https://launchpad.net/ubuntu/+source/apache2/2.4.64-1ubuntu3.4
https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.12
https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.20

[USN-8233-2] nghttp2 vulnerability

==========================================================================
Ubuntu Security Notice USN-8233-2
May 06, 2026

nghttp2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS

Summary:

nghttp2 could be made to crash if it received specially crafted network
traffic.

Software Description:
- nghttp2: HTTP/2 C Library and tools

Details:

USN-8233-1 fixed a vulnerability in nghttp2. This update provides the
corresponding update for Ubuntu 26.04 LTS.

Original advisory details:

Andrew MacPherson discovered that nghttp2 did not properly validate
internal state when the session termination API was called. A remote
attacker could possibly use this issue to cause nghttp2 to crash,
resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
libnghttp2-14 1.68.0-2ubuntu0.1
nghttp2 1.68.0-2ubuntu0.1

In general, a standard system update will make all the necessary
changes.

References:
https://ubuntu.com/security/notices/USN-8233-2
https://ubuntu.com/security/notices/USN-8233-1
CVE-2026-27135

Package Information:
https://launchpad.net/ubuntu/+source/nghttp2/1.68.0-2ubuntu0.1