Snyk test report

Time-of-check Time-of-use (TOCTOU)

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for Ubuntu:26.04 util-linux.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-27456
• https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4
• https://github.com/util-linux/util-linux/releases/tag/v2.41.4
• https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g

Authentication Bypass

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in util-linux. Improper hostname canonicalization in the login(1) utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAM_RHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Remediation

There is no fixed version for Ubuntu:26.04 util-linux.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3184
• https://access.redhat.com/errata/RHSA-2026:7180
• https://access.redhat.com/security/cve/CVE-2026-3184
• https://bugzilla.redhat.com/show_bug.cgi?id=2442570

Directory Traversal

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:26.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
• https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
• https://www.gnu.org/software/tar/
• https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
• https://www.gnu.org/software/tar/manual/html_node/Integrity.html
• https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
• http://www.openwall.com/lists/oss-security/2025/11/01/6

Unrestricted Upload of File with Dangerous Type

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Ubuntu:26.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5704
• https://access.redhat.com/security/cve/CVE-2026-5704
• https://bugzilla.redhat.com/show_bug.cgi?id=2455360
• http://www.openwall.com/lists/oss-security/2026/04/11/10
• http://www.openwall.com/lists/oss-security/2026/04/11/11
• http://www.openwall.com/lists/oss-security/2026/04/12/2

CVE-2026-35350

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35350
• https://github.com/uutils/coreutils/issues/9750

CVE-2026-35357

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35357
• https://github.com/uutils/coreutils/issues/10011

CVE-2026-35374

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35374
• https://github.com/uutils/coreutils/pull/11401

CVE-2026-35373

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35373
• https://github.com/uutils/coreutils/pull/11403

CVE-2026-35370

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35370
• https://github.com/uutils/coreutils/issues/10006

CVE-2026-35341

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35341
• https://github.com/uutils/coreutils/issues/10020

CVE-2026-35367

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35367
• https://github.com/uutils/coreutils/issues/10021

CVE-2026-35368

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35368
• https://github.com/uutils/coreutils/issues/10327

CVE-2026-35354

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35354
• https://github.com/uutils/coreutils/issues/10014

CVE-2026-35348

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35348
• https://github.com/uutils/coreutils/issues/9696

CVE-2026-35371

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35371
• https://github.com/uutils/coreutils/issues/10006

CVE-2026-35364

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35364
• https://github.com/uutils/coreutils/issues/10015

CVE-2026-35351

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35351
• https://github.com/uutils/coreutils/issues/9714

CVE-2026-35345

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35345
• https://github.com/uutils/coreutils/issues/10328

CVE-2026-35360

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35360
• https://github.com/uutils/coreutils/issues/10019

CVE-2026-35363

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35363
• https://github.com/uutils/coreutils/issues/9749

CVE-2026-35344

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35344
• https://github.com/uutils/coreutils/issues/9745

CVE-2026-35352

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35352
• http://www.openwall.com/lists/oss-security/2026/05/04/4
• http://www.openwall.com/lists/oss-security/2026/05/04/5
• http://www.openwall.com/lists/oss-security/2026/05/04/6
• https://github.com/uutils/coreutils/issues/10020

CVE-2026-35359

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35359
• https://github.com/uutils/coreutils/issues/10017

CVE-2026-35377

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \ and '). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35377
• https://github.com/uutils/coreutils/pull/11512

Algorithmic Complexity

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Remediation

There is no fixed version for Ubuntu:26.04 gnutls28.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14831
• https://access.redhat.com/security/cve/CVE-2025-14831
• https://bugzilla.redhat.com/show_bug.cgi?id=2423177
• https://access.redhat.com/errata/RHSA-2026:3477
• https://access.redhat.com/errata/RHSA-2026:4188
• https://gitlab.com/gnutls/gnutls/-/issues/1773
• https://access.redhat.com/errata/RHSA-2026:4655
• https://access.redhat.com/errata/RHSA-2026:4943
• https://access.redhat.com/errata/RHSA-2026:5585
• https://access.redhat.com/errata/RHSA-2026:5606
• https://access.redhat.com/errata/RHSA-2026:6630
• https://access.redhat.com/errata/RHSA-2026:6618
• https://access.redhat.com/errata/RHSA-2026:6737
• https://access.redhat.com/errata/RHSA-2026:6738
• https://access.redhat.com/errata/RHSA-2026:7329
• https://access.redhat.com/errata/RHSA-2026:7335
• https://access.redhat.com/errata/RHSA-2026:8747
• https://access.redhat.com/errata/RHSA-2026:8746
• https://access.redhat.com/errata/RHSA-2026:8748
• https://access.redhat.com/errata/RHSA-2026:7477
• https://access.redhat.com/errata/RHSA-2026:13812
• https://access.redhat.com/errata/RHSA-2026:16174
• https://cert-portal.siemens.com/productcert/html/ssa-032379.html
• https://access.redhat.com/errata/RHSA-2026:16008
• https://access.redhat.com/errata/RHSA-2026:16009
• https://access.redhat.com/errata/RHSA-2026:25096

CVE-2026-4437

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4437
• https://sourceware.org/bugzilla/show_bug.cgi?id=34014

CVE-2026-4438

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4438
• https://sourceware.org/bugzilla/show_bug.cgi?id=34015

CVE-2026-4046

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4046
• https://sourceware.org/bugzilla/show_bug.cgi?id=33980
• https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD
• https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u

CVE-2026-6238

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.

These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-6238
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=34069

CVE-2026-5435

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5435
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=34033

Improper Validation of Specified Type of Input

Overview

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the calls plugin when handling websocket messages containing malformed msgpack frames. An attacker can cause the server to consume excessive memory and crash by sending specially crafted websocket requests.

Remediation

There is no fixed version for github.com/vmihailenco/msgpack/v5.

References

• GitHub Commit
• Mattermost Security Updates

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

MPL-2.0 license

Improper Encoding or Escaping of Output

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

Remediation

There is no fixed version for Ubuntu:26.04 git.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
• https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
• https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net

Algorithmic Complexity

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Ubuntu:26.04 expat.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66382
• https://github.com/libexpat/libexpat/issues/1076
• http://www.openwall.com/lists/oss-security/2025/12/02/1
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html