Ubuntu update for linux



Risk Medium
Patch available YES
Number of vulnerabilities 20
CVE-ID CVE-2022-23041
CVE-2024-56615
CVE-2024-56600
CVE-2025-21700
CVE-2024-56658
CVE-2024-35960
CVE-2024-50265
CVE-2025-21702
CVE-2024-53227
CVE-2024-53165
CVE-2024-50167
CVE-2024-26863
CVE-2024-35973
CVE-2024-46826
CVE-2021-47119
CVE-2024-50302
CVE-2024-49952
CVE-2021-47101
CVE-2024-49948
CVE-2024-56595
CWE-ID CWE-362
CWE-125
CWE-416
CWE-665
CWE-401
CWE-399
CWE-908
CWE-20
CWE-119
Exploitation vector Local
Public exploit Vulnerability #16 is being exploited in the wild.
Vulnerable software
 Ubuntu
Operating systems & Components / Operating system

linux-image-4.15.0-236-lowlatency (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-236-generic (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1187-azure (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1179-aws (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1172-gcp (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1162-kvm (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1141-oracle (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oracle-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gcp-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-azure-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-aws-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-lowlatency (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-kvm (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-virtual (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gcp (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gke (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-azure (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-aws-hwe (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-lowlatency-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oem (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-virtual-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oracle (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 20 vulnerabilities.

1) Race condition

EUVDB-ID: #VU63310

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-23041

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to a race condition in blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls ring buffers. A malicious backend can exploit the race condition and read or write data or perform a denial of service attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

EUVDB-ID: #VU102083

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56615

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the dev_map_alloc(), dev_map_delete_elem() and dev_map_hash_delete_elem() functions in kernel/bpf/devmap.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU102016

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56600

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the htons() function in net/ipv6/af_inet6.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU103959

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:U/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-21700

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the qdisc_lookup() function in net/sched/sch_api.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

EUVDB-ID: #VU102033

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56658

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the LLIST_HEAD(), net_free() and cleanup_net() functions in net/core/net_namespace.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper Initialization

EUVDB-ID: #VU93351

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-35960

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper initialization within the add_rule_fg() function in drivers/net/ethernet/mellanox/mlx5/core/fs_core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory leak

EUVDB-ID: #VU100610

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50265

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ocfs2_xa_remove() function in fs/ocfs2/xattr.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Resource management error

EUVDB-ID: #VU104074

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:U/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-21702

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the pfifo_tail_enqueue() function in net/sched/sch_fifo.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Use-after-free

EUVDB-ID: #VU102067

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-53227

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the bfad_init() function in drivers/scsi/bfa/bfad.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Use-after-free

EUVDB-ID: #VU102062

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-53165

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the register_intc_controller() function in drivers/sh/intc/core.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Memory leak

EUVDB-ID: #VU100053

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50167

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the be_xmit() function in drivers/net/ethernet/emulex/benet/be_main.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use of uninitialized resource

EUVDB-ID: #VU90877

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26863

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the hsr_get_node() function in net/hsr/hsr_framereg.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Use of uninitialized resource

EUVDB-ID: #VU90872

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-35973

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the geneve_xmit_skb() and geneve6_xmit_skb() functions in drivers/net/geneve.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Input validation error

EUVDB-ID: #VU97839

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46826

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the fs/binfmt_elf.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory leak

EUVDB-ID: #VU90018

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47119

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ext4_fill_super() and kfree() functions in fs/ext4/super.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Memory leak

EUVDB-ID: #VU100611

Risk: Medium

CVSSv4.0: 6.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A/U:Green]

CVE-ID: CVE-2024-50302

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the hid_alloc_report_buf() function in drivers/hid/hid-core.c. A local user can perform a denial of service (DoS) attack.

Note, the vulnerability is being actively exploited in the wild against Android devices.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

17) Buffer overflow

EUVDB-ID: #VU99151

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-49952

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the nf_dup_ipv6_route() and nf_dup_ipv6() functions in net/ipv6/netfilter/nf_dup_ipv6.c, within the nf_dup_ipv4() function in net/ipv4/netfilter/nf_dup_ipv4.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Use of uninitialized resource

EUVDB-ID: #VU90882

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47101

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the asix_check_host_enable() function in drivers/net/usb/asix_common.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Input validation error

EUVDB-ID: #VU99042

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-49948

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the qdisc_pkt_len_init() function in net/core/dev.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Out-of-bounds read

EUVDB-ID: #VU102088

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56595

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the dbAdjTree() function in fs/jfs/jfs_dmap.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 18.04

linux-image-4.15.0-236-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-236-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1187-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1172-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1162-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1141-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7428-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###