ubuntu_linux

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option....

Published: Jun 30, 2025

Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_ch...

Published: May 30, 2025

In Ubuntu, gnome-control-center did not properly reflect SSH remote login status when the system was configured to use systemd socket activation for openssh-server. This could unknowingly leave the lo...

Published: Apr 15, 2025

accountsservice no longer drops permissions when writting .pam_environment...

Published: Mar 25, 2025

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server...

Published: Feb 28, 2025

Ubuntu's configuration of gnome-control-center allowed Remote Desktop Sharing to be enabled by default....

Published: Jan 31, 2025

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote at...

Published: Jul 1, 2024

When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and m...

Published: Jun 21, 2024

Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing...

Published: Jun 4, 2024

Apport does not disable python crash handler before entering chroot...

Published: Jun 4, 2024

is_closing_session() allows users to consume RAM in the Apport process...

Published: Jun 4, 2024

is_closing_session() allows users to create arbitrary tcp dbus connections...

Published: Jun 4, 2024

is_closing_session() allows users to fill up apport.log...

Published: Jun 4, 2024

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack...

Published: Jun 4, 2024

Apport can be tricked into connecting to arbitrary sockets as the root user...

Published: Jun 3, 2024

There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root....

Published: Jun 3, 2024

The Linux kernel io_uring IORING_OP_SOCKET operation contained a double free in function __sys_socket_file() in file net/socket.c. This issue was introduced in da214a475f8bd1d3e9e7a19ddfeb4d1617551bab...

Published: Jan 8, 2024

It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use thi...

Published: Jan 8, 2024

Race condition in snap-confine's must_mkdir_and_open_with_perms()...

Published: Jan 8, 2024

io_uring UAF, Unix SCM garbage collection...

Published: Jan 8, 2024

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0....

Published: Jan 8, 2024

It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted....

Published: Jan 8, 2024

It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free....

Published: Jan 8, 2024

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafte...

Published: Oct 3, 2023

An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled....

Published: Aug 14, 2023

BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c....

Published: Sep 2, 2022

BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len....

Published: Sep 2, 2022

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite...

Published: Mar 4, 2022

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphers...

Published: Sep 9, 2020

Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following....

Published: Aug 20, 2020

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An att...

Published: Aug 17, 2020

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted t...

Published: Mar 25, 2020

When a device was changed while a stream was about to be destroyed, the <code>stream-reinit</code> task may have been executed after the stream was destroyed, causing a use-after-free and a potentiall...

Published: Mar 25, 2020

By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potent...

Published: Mar 25, 2020

When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash. This vulnerability affects Thunderbir...

Published: Mar 25, 2020

In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls....

Published: Mar 24, 2020

A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23....

Published: Mar 23, 2020

A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23....

Published: Mar 23, 2020

Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi....

Published: Mar 20, 2020

A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issu...

Published: Mar 20, 2020

Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access...

Published: Mar 12, 2020

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() func...

Published: Mar 12, 2020

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remain...

Published: Mar 12, 2020

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was...

Published: Mar 12, 2020

usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init....

Published: Mar 6, 2020

QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is no...

Published: Mar 5, 2020

init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses ...

Published: Mar 5, 2020

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suit...

Published: Mar 5, 2020

The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen w...

Published: Mar 4, 2020

WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4 (which are the versions right before 2.28.0) contains a memory corruption issue (use-after-free) that may lead to arbitrary code execution. This ...

Published: Mar 2, 2020