{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.17.0-20-generic", "linux-modules-6.17.0-20-generic" ], "removed": [ "linux-image-6.17.0-19-generic", "linux-modules-6.17.0-19-generic" ], "diff": [ "libpam-systemd", "libsystemd-shared", "libsystemd0", "libudev1", "linux-image-virtual", "pollinate", "python3-jwt", "systemd", "systemd-resolved", "systemd-sysv", "udev" ] } }, "diff": { "deb": [ { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.17.0-19.19", "version": "6.17.0-19.19" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.17.0-20.20", "version": "6.17.0-20.20" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-20.20", "" ], "package": "linux-meta", "version": "6.17.0-20.20", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 13 Mar 2026 18:49:45 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "pollinate", "from_version": { "source_package_name": "pollinate", "source_package_version": "4.33-4ubuntu4", "version": "4.33-4ubuntu4" }, "to_version": { "source_package_name": "pollinate", "source_package_version": "4.33-4ubuntu4.2", "version": "4.33-4ubuntu4.2" }, "cves": [], "launchpad_bugs_fixed": [ 2146451 ], "changes": [ { "cves": [], "log": [ "", " * Remove certificate pinning (LP: #2146451)", " - Curl will now use the system ca-certificates to validate the server", " cert which will allow a graceful transition during the upcoming", " certificate renewal and prevent machines from booting without", " seeded entropy.", "" ], "package": "pollinate", "version": "4.33-4ubuntu4.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [ 2146451 ], "author": "Marc Deslauriers ", "date": "Thu, 26 Mar 2026 08:25:57 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-jwt", "from_version": { "source_package_name": "pyjwt", "source_package_version": "2.10.1-2", "version": "2.10.1-2" }, "to_version": { "source_package_name": "pyjwt", "source_package_version": "2.10.1-2ubuntu0.1", "version": "2.10.1-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-32597", "url": "https://ubuntu.com/security/CVE-2026-32597", "cve_description": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.", "cve_priority": "medium", "cve_public_date": "2026-03-13 19:55:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-32597", "url": "https://ubuntu.com/security/CVE-2026-32597", "cve_description": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.", "cve_priority": "medium", "cve_public_date": "2026-03-13 19:55:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Incorrect authorization of invalid JWS token.", " - debian/patches/CVE-2026-32597.patch: Add _supported_crit and checks", " for valid crit header in jwt/api_jws.py. Add tests in", " tests/test_api_jws.py and tests/test_api_jwt.py.", " - CVE-2026-32597", "" ], "package": "pyjwt", "version": "2.10.1-2ubuntu0.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 26 Mar 2026 10:29:25 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.3", "version": "257.9-0ubuntu2.3" }, "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-29111", "url": "https://ubuntu.com/security/CVE-2026-29111", "cve_description": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-23 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd", " - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves", " a leading slash in place", " - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag", " - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()", " - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently", " * SECURITY UPDATE: Local root execution via malicious hardware devices", " - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch", " - d/p/udev-fix-review-mixup.patch", " - No CVE number", "" ], "package": "systemd", "version": "257.9-0ubuntu2.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:49:08 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.17.0-20-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.17.0-19.19", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.17.0-20.20", "version": "6.17.0-20.20" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-20.20", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.17.0-20.20", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 13 Mar 2026 18:49:53 +0100" } ], "notes": "linux-image-6.17.0-20-generic version '6.17.0-20.20' (source package linux-signed version '6.17.0-20.20') was added. linux-image-6.17.0-20-generic version '6.17.0-20.20' has the same source package name, linux-signed, as removed package linux-image-6.17.0-19-generic. As such we can use the source package version of the removed package, '6.17.0-19.19', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.17.0-20-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.17.0-19.19", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.17.0-20.20", "version": "6.17.0-20.20" }, "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144297 ], "changes": [ { "cves": [ { "cve": "CVE-2026-23074", "url": "https://ubuntu.com/security/CVE-2026-23074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23060", "url": "https://ubuntu.com/security/CVE-2026-23060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.", "cve_priority": "medium", "cve_public_date": "2026-02-04 17:16:00 UTC" }, { "cve": "CVE-2026-23111", "url": "https://ubuntu.com/security/CVE-2026-23111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * questing/linux: 6.17.0-20.20 -proposed tracker (LP: #2144297)", "", " * CVE-2026-23074", " - net/sched: Enforce that teql can only be used as root qdisc", "", " * CVE-2026-23060", " - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN", " spec", "", " * CVE-2026-23111", " - netfilter: nf_tables: fix inverted genmask check in", " nft_map_catchall_activate()", "" ], "package": "linux", "version": "6.17.0-20.20", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2144297 ], "author": "Manuel Diewald ", "date": "Fri, 13 Mar 2026 16:27:25 +0100" } ], "notes": "linux-modules-6.17.0-20-generic version '6.17.0-20.20' (source package linux version '6.17.0-20.20') was added. linux-modules-6.17.0-20-generic version '6.17.0-20.20' has the same source package name, linux, as removed package linux-modules-6.17.0-19-generic. As such we can use the source package version of the removed package, '6.17.0-19.19', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.17.0-19-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.17.0-19.19", "version": "6.17.0-19.19" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.17.0-19-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.17.0-19.19", "version": "6.17.0-19.19" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.10 questing image from release image serial 20260320 to 20260401", "from_series": "questing", "to_series": "questing", "from_serial": "20260320", "to_serial": "20260401", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }