<?xml version='1.0' encoding='UTF-8'?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0"><channel><title>Ubuntu security notices</title><link>https://ubuntu.com/security/notices/rss.xml</link><description>Recent content on Ubuntu security notices</description><atom:link href="https://ubuntu.com/security/notices/rss.xml" rel="self"/><copyright>2026 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.</copyright><docs>http://www.rssboard.org/rss-specification</docs><generator>Feedgen</generator><lastBuildDate>Tue, 14 Jul 2026 19:09:11 +0000</lastBuildDate><item><title>USN-8526-2: libheif vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8526-2</link><description>USN-8526-1 fixed vulnerabilities in libheif. This update provides the
corresponding updates for CVE-2026-47709 and CVE-2026-47714 in
Ubuntu 24.04 LTS.

Original advisory details:

 Junyi Liu discovered that libheif had a null pointer dereference in its
 image tiling interface. An attacker could possibly use this issue to
 cause a denial of service. (CVE-2026-47709)

 Calvin Young and Enoch Chow discovered that libheif had an integer
 overflow in its inline mask size calculation. An attacker could
 possibly use this issue to cause a denial of service or obtain sensitive
 information. (CVE-2026-47714)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8526-2</guid><pubDate>Tue, 14 Jul 2026 16:29:55 +0000</pubDate></item><item><title>USN-8540-1: OpenVPN vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8540-1</link><description>It was discovered that OpenVPN had a 1-byte buffer overrun when handling
NTLMv2 proxy responses. An attacker could use this issue to cause a denial
of service or possibly execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-11771)

It was discovered that OpenVPN incorrectly handled metadata when extracting
tls-crypt-v2 client keys. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2026-12932)

It was discovered that OpenVPN had a use-after-free in the ack_write_buf
handling. An attacker could use this issue to cause OpenVPN to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-12996)

It was discovered that OpenVPN had a use-after-free in the tls_wrap_reneg
handling. An attacker could use this issue to cause OpenVPN to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-13117)

It was discovered that OpenVPN incorrectly validated authentication tokens
when external authentication was enabled. A remote attacker could possibly
use this issue to cause OpenVPN to crash, resulting in a denial of service.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS.
(CVE-2026-13122)

It was discovered that OpenVPN had a memory leak when handling tls-crypt-v2
client keys. A remote attacker with a valid tls-crypt-v2 client key could
possibly use this issue to cause OpenVPN to consume excessive resources,
leading to a denial of service. (CVE-2026-13698)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8540-1</guid><pubDate>Tue, 14 Jul 2026 15:40:18 +0000</pubDate></item><item><title>USN-8539-1: GnuTLS vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8539-1</link><description>Haruto Kimura discovered that GnuTLS did not properly apply permitted
name constraints in certain certificate validation paths. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42011)

Oleh Konko discovered that GnuTLS incorrectly fell back to Common Name
checks for certain URI and SRV subject alternative names. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42012)

Haruto Kimura and Joshua Rogers discovered that GnuTLS incorrectly fell
back to Common Name checks when subject alternative names were
oversized. A remote attacker could possibly use this issue to bypass
certificate validation, leading to a machine-in-the-middle attack.
(CVE-2026-42013)

Luigino Camastra and Joshua Rogers discovered that GnuTLS had a
use-after-free issue when changing PKCS#11 token security officer PINs
in certain cases. An attacker could possibly use this issue to cause
GnuTLS to crash, resulting in a denial of service, or execute arbitrary
code. (CVE-2026-42014)

Zou Dikai discovered that GnuTLS did not properly validate PKCS#12 bag
sizes in certain cases. An attacker could possibly use this issue to
cause GnuTLS to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-42015)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8539-1</guid><pubDate>Tue, 14 Jul 2026 15:16:35 +0000</pubDate></item><item><title>USN-8538-1: alsa-lib vulnerability</title><link>https://ubuntu.com/security/notices/USN-8538-1</link><description>It was discovered that alsa-lib incorrectly handled certain ALSA
configuration text. An attacker could use this issue to cause alsa-lib to
crash, resulting in a denial of service, or possibly execute arbitrary
code.</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8538-1</guid><pubDate>Tue, 14 Jul 2026 12:02:59 +0000</pubDate></item><item><title>USN-8537-1: httplib2 vulnerability</title><link>https://ubuntu.com/security/notices/USN-8537-1</link><description>It was discovered that httplib2 performed unbounded decompression of HTTP
response bodies when the server used gzip or deflate Content-Encoding. A
remote attacker could possibly use this issue to cause httplib2 to use
excessive resources, leading to a denial of service.</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8537-1</guid><pubDate>Tue, 14 Jul 2026 11:56:56 +0000</pubDate></item><item><title>USN-8536-1: MariaDB vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8536-1</link><description>It was discovered that MariaDB did not properly validate parameters
supplied by a joiner node during a State Snapshot Transfer using the
mariabackup method. An attacker could possibly use this issue to execute
arbitrary shell commands on the donor node. (CVE-2026-44168)

It was discovered that MariaDB did not properly enforce the SHOW CREATE
ROUTINE privilege when a user obtained access to a stored routine via a
role. An authenticated user could possibly use this issue to obtain
sensitive information. (CVE-2026-44169)

It was discovered that MariaDB's mbstream utility did not properly validate
paths when unpacking archives. An attacker could possibly use this issue to
write files outside of the intended target directory. (CVE-2026-44171)

It was discovered that MariaDB's mysql_real_escape_string() function
incorrectly handled the big5 character set. An attacker could possibly use
this issue to perform SQL injection attacks. (CVE-2026-44172)

It was discovered that MariaDB did not properly check the FILE privilege
when the FROM clause of a SELECT ... INTO OUTFILE or SELECT ... INTO
DUMPFILE statement contained only subqueries. An authenticated user could
possibly use this issue to write files to unintended locations.
(CVE-2026-44173)

It was discovered that MariaDB did not properly validate parameters
supplied by a joiner node during a State Snapshot Transfer using the rsync
method. An attacker could possibly use this issue to execute arbitrary
shell commands on the donor node. (CVE-2026-48163)

It was discovered that MariaDB allowed a high-privileged user to set
certain Galera system variables to values containing shell commands, which
were then executed by the server process. An authenticated user could
possibly use this issue to execute arbitrary shell commands.
(CVE-2026-48165)

It was discovered that MariaDB executed shell commands embedded in the name
of a joiner node when wsrep_notify_cmd was enabled. A remote attacker could
possibly use this issue to execute arbitrary shell commands.
(CVE-2026-49261)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8536-1</guid><pubDate>Tue, 14 Jul 2026 11:45:03 +0000</pubDate></item><item><title>USN-8535-1: PipeWire vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8535-1</link><description>It was discovered that PipeWire accepted unbounded Content-Length values
in its RAOP module. A remote attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 24.04 LTS.
(CVE-2026-14324)

It was discovered that PipeWire performed multiple unbounded stack
allocations in its PulseAudio protocol server. A local attacker could
possibly use this issue to cause a denial of service. (CVE-2026-14330)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8535-1</guid><pubDate>Mon, 13 Jul 2026 15:54:16 +0000</pubDate></item><item><title>USN-8534-1: LibreOffice vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8534-1</link><description>It was discovered that LibreOffice incorrectly handled importing DXF
drawings. An attacker could use this issue to cause LibreOffice to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-6039)

It was discovered that LibreOffice incorrectly handled certain ODF number
formats. An attacker could use this issue to cause LibreOffice to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-6040)

It was discovered that LibreOffice incorrectly handled importing EMF+
graphics. An attacker could use this issue to cause LibreOffice to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-6045)

It was discovered that LibreOffice incorrectly handled importing PPT
presentations. An attacker could use this issue to cause LibreOffice to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2026-8356)

It was discovered that LibreOffice Calc incorrectly handled compiling
certain formulas. An attacker could use this issue to cause LibreOffice to
crash, resulting in a denial of service, or possily execute arbitrary code.
(CVE-2026-8357)

It was discovered that LibreOffice Calc incorrectly handled importing
spreadsheet tracked changes. An attacker could use this issue to cause
LibreOffice to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2026-8358)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8534-1</guid><pubDate>Mon, 13 Jul 2026 15:04:25 +0000</pubDate></item><item><title>USN-8533-1: OpenSSH vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8533-1</link><description>It was discovered that OpenSSH sftp did not properly constrain the location
of downloaded files when connecting to an attacker-controlled server. An
attacker could possibly use this issue to write files to unintended
locations on the file system. (CVE-2026-59995)

It was discovered that OpenSSH scp could place files in the parent
directory of the intended destination when copying between two remote
hosts. An attacker could possibly use this issue to write files to
unintended locations. (CVE-2026-59996)

It was discovered that OpenSSH internal-sftp only recognized the first nine
command-line arguments, This could result in certain security-sensitive
arguments being ignored, contrary to expectations. (CVE-2026-59997)

It was discovered that OpenSSH had undocumented behaviour regarding the
GSSAPIStrictAcceptorCheck option in environments using Windows Active
Directory. The documentation has been updated to clarify use of the option.
(CVE-2026-59998)

It was discovered that OpenSSH did not properly enforce precedence of
DisableForwarding=yes over PermitTunnel=yes in server configurations. This
could possibly result in intended network forwarding restrictions being
bypassed, contrary to expectations. (CVE-2026-59999)

It was discovered that OpenSSH mishandled the MaxAuthTries limit for GSSAPI
authentication. A remote attacker could use this issue to perform excessive
authentication attempts. (CVE-2026-60000)

It was discovered that OpenSSH did not always honour the minimum
authentication delay. An attacker could possibly use this issue to perform
brute-force attacks more efficiently. (CVE-2026-60001)

It was discovered that the OpenSSH client had a use-after-free
vulnerability when a server changed its host key during a key re-exchange.
An attacker able to intercept communications could possibly use this issue
to execute arbitrary code or obtain sensitive information. (CVE-2026-60002)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8533-1</guid><pubDate>Mon, 13 Jul 2026 13:07:08 +0000</pubDate></item><item><title>USN-8532-1: libssh2 vulnerabilities</title><link>https://ubuntu.com/security/notices/USN-8532-1</link><description>It was discovered that libssh2 incorrectly handled certain publickey
subsystem attributes. A remote attacker controlling a malicious SSH server
could use this issue to cause a denial of service or possibly execute
arbitrary code. (CVE-2026-58050)

It was discovered that libssh2 did not properly initialize publickey list
entries before parsing. A remote attacker controlling a malicious SSH
server could use this issue to cause a denial of service or possibly
execute arbitrary code. (CVE-2026-58051)</description><guid isPermaLink="false">https://ubuntu.com/security/notices/USN-8532-1</guid><pubDate>Mon, 13 Jul 2026 12:46:47 +0000</pubDate></item></channel></rss>