Ubuntu update for linux



| Updated: 2025-04-23
Risk Medium
Patch available YES
Number of vulnerabilities 10
CVE-ID CVE-2020-14351
CVE-2020-14390
CVE-2020-25211
CVE-2020-25284
CVE-2020-25285
CVE-2020-25641
CVE-2020-25643
CVE-2020-25645
CVE-2020-28915
CVE-2020-4788
CWE-ID CWE-416
CWE-125
CWE-119
CWE-863
CWE-476
CWE-835
CWE-319
CWE-126
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Ubuntu
Operating systems & Components / Operating system

linux-image-azure (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1100-azure (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-virtual (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-snapdragon (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-raspi2 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oracle-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oem (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-lowlatency (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-kvm (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gke-4.15 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gke (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic-lpae (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gcp-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-azure-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-aws-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-126-lowlatency (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-126-generic-lpae (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-126-generic (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1103-oem (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1091-snapdragon (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1088-gcp (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1088-aws (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1079-kvm (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1074-raspi2 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1074-gke (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1059-oracle (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-virtual-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oracle (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-lowlatency-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic-lpae-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gcp (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-azure-edge (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-aws-hwe (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 10 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU51544

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-14351

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the perf subsystem. A local user with permission to monitor perf events cam corrupt memory and execute arbitrary code with elevated privileges.


Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

EUVDB-ID: #VU47220

Risk: Medium

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-14390

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to an out-of-bounds read that occurs leading to memory corruption or a denial of service. This highest threat from this vulnerability is to system availability.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU51545

Risk: Low

CVSSv4.0: 4.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25211

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to crash the system.

The vulnerability exists due to a boundary error within the ctnetlink_parse_tuple_filter() function in net/netfilter/nf_conntrack_netlink.c. A local user can inject conntrack netlink configuration, trigger buffer overflow and crash the kernel or force usage of incorrect protocol numbers.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Incorrect authorization

EUVDB-ID: #VU92423

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25284

CWE-ID: CWE-863 - Incorrect Authorization

Exploit availability: No

Description

The vulnerability allows a local privileged user to manipulate data.

The vulnerability exists due to incorrect authorization error within the rbd_config_info_show(), rbd_image_refresh(), do_rbd_add() and do_rbd_remove() functions in drivers/block/rbd.c. A local privileged user can manipulate data.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) NULL pointer dereference

EUVDB-ID: #VU90669

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25285

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to NULL pointer dereference within the allowed_mems_nr(), hugetlb_sysctl_handler_common() and hugetlb_overcommit_handler() functions in mm/hugetlb.c. A local privileged user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Infinite loop

EUVDB-ID: #VU48941

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25641

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect implementation of biovecs in Linux kernel. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. A local user can issue requests to a block device and perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Out-of-bounds read

EUVDB-ID: #VU51881

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-25643

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the HDLC_PPP module of the Linux kernel in the ppp_cp_parse_cr() function. A remote authenticated user can trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cleartext transmission of sensitive information

EUVDB-ID: #VU51546

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-25645

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to traffic passed between two Geneve endpoints with configured IPsec can be unencrypted for the specific UDP port. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer Over-read

EUVDB-ID: #VU64793

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-28915

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a local user with physical access to perform a denial of service attack.

The vulnerability exists due to an out-of-bounds (OOB) memory access flaw in fbcon_get_font() function in drivers/video/fbdev/core/fbcon.c in fbcon driver module in the Linux kernel. A local user with special user privilege and with physical access can gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Information disclosure

EUVDB-ID: #VU48577

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-4788

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists in IBM Power9 processors due to unspecified error. A local user can obtain sensitive information from the data in the L1 cache under extenuating circumstances.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-azure (Ubuntu package): before 4.15.0.1100.75

linux-image-4.15.0-1100-azure (Ubuntu package): before 4.15.0-1100.111~14.04.1

linux-image-virtual (Ubuntu package): before 4.15.0.126.113

linux-image-snapdragon (Ubuntu package): before 4.15.0.1091.94

linux-image-raspi2 (Ubuntu package): before 4.15.0.1074.71

linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1059.69

linux-image-oem (Ubuntu package): before 4.15.0.126.125

linux-image-lowlatency (Ubuntu package): before 4.15.0.126.113

linux-image-kvm (Ubuntu package): before 4.15.0.1079.75

linux-image-gke-4.15 (Ubuntu package): before 4.15.0.1074.78

linux-image-gke (Ubuntu package): before 4.15.0.1074.78

linux-image-generic-lpae (Ubuntu package): before 4.15.0.126.113

linux-image-generic (Ubuntu package): before 4.15.0.126.113

linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1088.106

linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1100.73

linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1088.90

linux-image-4.15.0-126-lowlatency (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic-lpae (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-126-generic (Ubuntu package): before 4.15.0-126.129~16.04.1

linux-image-4.15.0-1103-oem (Ubuntu package): before 4.15.0-1103.114

linux-image-4.15.0-1091-snapdragon (Ubuntu package): before 4.15.0-1091.100

linux-image-4.15.0-1088-gcp (Ubuntu package): before 4.15.0-1088.101~16.04.1

linux-image-4.15.0-1088-aws (Ubuntu package): before 4.15.0-1088.93~16.04.1

linux-image-4.15.0-1079-kvm (Ubuntu package): before 4.15.0-1079.81

linux-image-4.15.0-1074-raspi2 (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1074-gke (Ubuntu package): before 4.15.0-1074.79

linux-image-4.15.0-1059-oracle (Ubuntu package): before 4.15.0-1059.65~16.04.1

linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-oracle (Ubuntu package): before 4.15.0.1059.48

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.126.125

linux-image-gcp (Ubuntu package): before 4.15.0.1088.89

linux-image-azure-edge (Ubuntu package): before 4.15.0.1100.93

linux-image-aws-hwe (Ubuntu package): before 4.15.0.1088.82

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4660-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###