Ubuntu update for linux



| Updated: 2025-04-23
Risk Low
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2019-18808
CVE-2019-19054
CVE-2020-12888
CVE-2020-16166
CVE-2020-25212
CWE-ID CWE-401
CWE-330
CWE-367
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Ubuntu
Operating systems & Components / Operating system

linux-image-virtual (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-raspi2 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-raspi (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oracle (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oem-osp1 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oem (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-lowlatency (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-kvm (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gke (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic-lpae (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gcp (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-azure (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-aws (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-1024-kvm (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-raspi-hwe-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-1019-raspi (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-virtual-hwe-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-snapdragon-hwe-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-lowlatency-hwe-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic-lpae-hwe-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic-hwe-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-48-lowlatency (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-48-generic-lpae (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-48-generic (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-1026-azure (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-1025-oracle (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-1025-gcp (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-5.4.0-1025-aws (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Memory leak

EUVDB-ID: #VU24433

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-18808

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "ccp_run_sha_cmd()" function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows a local user to cause a denial of service (memory consumption).

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 20.04

linux-image-virtual (Ubuntu package): before 5.4.0.48.51

linux-image-raspi2 (Ubuntu package): before 5.4.0.1019.54

linux-image-raspi (Ubuntu package): before 5.4.0.1019.54

linux-image-oracle (Ubuntu package): before 5.4.0.1025.9

linux-image-oem-osp1 (Ubuntu package): before 5.4.0.48.51

linux-image-oem (Ubuntu package): before 5.4.0.48.51

linux-image-lowlatency (Ubuntu package): before 5.4.0.48.51

linux-image-kvm (Ubuntu package): before 5.4.0.1024.22

linux-image-gke (Ubuntu package): before 5.4.0.1025.22

linux-image-generic-lpae (Ubuntu package): before 5.4.0.48.51

linux-image-generic (Ubuntu package): before 5.4.0.48.51

linux-image-gcp (Ubuntu package): before 5.4.0.1025.13

linux-image-azure (Ubuntu package): before 5.4.0.1026.9

linux-image-aws (Ubuntu package): before 5.4.0.1025.10

linux-image-5.4.0-1024-kvm (Ubuntu package): before 5.4.0-1024.24

linux-image-raspi-hwe-18.04 (Ubuntu package): before 5.4.0.1019.23

linux-image-5.4.0-1019-raspi (Ubuntu package): before 5.4.0-1019.21~18.04.1

linux-image-virtual-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-snapdragon-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-lowlatency-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-lpae-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-5.4.0-48-lowlatency (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic-lpae (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-1026-azure (Ubuntu package): before 5.4.0-1026.26~18.04.1

linux-image-5.4.0-1025-oracle (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-gcp (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-aws (Ubuntu package): before 5.4.0-1025.25~18.04.1

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4525-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory leak

EUVDB-ID: #VU23021

Risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19054

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "cx23888_ir_probe()" function in "drivers/media/pci/cx23885/cx23888-ir.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "kfifo_alloc()" failures.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 20.04

linux-image-virtual (Ubuntu package): before 5.4.0.48.51

linux-image-raspi2 (Ubuntu package): before 5.4.0.1019.54

linux-image-raspi (Ubuntu package): before 5.4.0.1019.54

linux-image-oracle (Ubuntu package): before 5.4.0.1025.9

linux-image-oem-osp1 (Ubuntu package): before 5.4.0.48.51

linux-image-oem (Ubuntu package): before 5.4.0.48.51

linux-image-lowlatency (Ubuntu package): before 5.4.0.48.51

linux-image-kvm (Ubuntu package): before 5.4.0.1024.22

linux-image-gke (Ubuntu package): before 5.4.0.1025.22

linux-image-generic-lpae (Ubuntu package): before 5.4.0.48.51

linux-image-generic (Ubuntu package): before 5.4.0.48.51

linux-image-gcp (Ubuntu package): before 5.4.0.1025.13

linux-image-azure (Ubuntu package): before 5.4.0.1026.9

linux-image-aws (Ubuntu package): before 5.4.0.1025.10

linux-image-5.4.0-1024-kvm (Ubuntu package): before 5.4.0-1024.24

linux-image-raspi-hwe-18.04 (Ubuntu package): before 5.4.0.1019.23

linux-image-5.4.0-1019-raspi (Ubuntu package): before 5.4.0-1019.21~18.04.1

linux-image-virtual-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-snapdragon-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-lowlatency-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-lpae-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-5.4.0-48-lowlatency (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic-lpae (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-1026-azure (Ubuntu package): before 5.4.0-1026.26~18.04.1

linux-image-5.4.0-1025-oracle (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-gcp (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-aws (Ubuntu package): before 5.4.0-1025.25~18.04.1

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4525-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Handling of Exceptional Conditions

EUVDB-ID: #VU28159

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-12888

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a local user to perform a deinal of service (DoS) attack.

The vulnerability exists due to the VFIO PCI driver mishandles attempts to access disabled memory space. A local user can cause a denial of service condition on the target system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 20.04

linux-image-virtual (Ubuntu package): before 5.4.0.48.51

linux-image-raspi2 (Ubuntu package): before 5.4.0.1019.54

linux-image-raspi (Ubuntu package): before 5.4.0.1019.54

linux-image-oracle (Ubuntu package): before 5.4.0.1025.9

linux-image-oem-osp1 (Ubuntu package): before 5.4.0.48.51

linux-image-oem (Ubuntu package): before 5.4.0.48.51

linux-image-lowlatency (Ubuntu package): before 5.4.0.48.51

linux-image-kvm (Ubuntu package): before 5.4.0.1024.22

linux-image-gke (Ubuntu package): before 5.4.0.1025.22

linux-image-generic-lpae (Ubuntu package): before 5.4.0.48.51

linux-image-generic (Ubuntu package): before 5.4.0.48.51

linux-image-gcp (Ubuntu package): before 5.4.0.1025.13

linux-image-azure (Ubuntu package): before 5.4.0.1026.9

linux-image-aws (Ubuntu package): before 5.4.0.1025.10

linux-image-5.4.0-1024-kvm (Ubuntu package): before 5.4.0-1024.24

linux-image-raspi-hwe-18.04 (Ubuntu package): before 5.4.0.1019.23

linux-image-5.4.0-1019-raspi (Ubuntu package): before 5.4.0-1019.21~18.04.1

linux-image-virtual-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-snapdragon-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-lowlatency-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-lpae-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-5.4.0-48-lowlatency (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic-lpae (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-1026-azure (Ubuntu package): before 5.4.0-1026.26~18.04.1

linux-image-5.4.0-1025-oracle (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-gcp (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-aws (Ubuntu package): before 5.4.0-1025.25~18.04.1

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4525-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use of insufficiently random values

EUVDB-ID: #VU95686

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-16166

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to use of insufficiently random values error within the prandom_state_selftest() function in lib/random32.c, within the update_process_times() function in kernel/time/timer.c, within the add_interrupt_randomness() function in drivers/char/random.c. A remote non-authenticated attacker can gain access to sensitive information.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 20.04

linux-image-virtual (Ubuntu package): before 5.4.0.48.51

linux-image-raspi2 (Ubuntu package): before 5.4.0.1019.54

linux-image-raspi (Ubuntu package): before 5.4.0.1019.54

linux-image-oracle (Ubuntu package): before 5.4.0.1025.9

linux-image-oem-osp1 (Ubuntu package): before 5.4.0.48.51

linux-image-oem (Ubuntu package): before 5.4.0.48.51

linux-image-lowlatency (Ubuntu package): before 5.4.0.48.51

linux-image-kvm (Ubuntu package): before 5.4.0.1024.22

linux-image-gke (Ubuntu package): before 5.4.0.1025.22

linux-image-generic-lpae (Ubuntu package): before 5.4.0.48.51

linux-image-generic (Ubuntu package): before 5.4.0.48.51

linux-image-gcp (Ubuntu package): before 5.4.0.1025.13

linux-image-azure (Ubuntu package): before 5.4.0.1026.9

linux-image-aws (Ubuntu package): before 5.4.0.1025.10

linux-image-5.4.0-1024-kvm (Ubuntu package): before 5.4.0-1024.24

linux-image-raspi-hwe-18.04 (Ubuntu package): before 5.4.0.1019.23

linux-image-5.4.0-1019-raspi (Ubuntu package): before 5.4.0-1019.21~18.04.1

linux-image-virtual-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-snapdragon-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-lowlatency-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-lpae-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-5.4.0-48-lowlatency (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic-lpae (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-1026-azure (Ubuntu package): before 5.4.0-1026.26~18.04.1

linux-image-5.4.0-1025-oracle (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-gcp (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-aws (Ubuntu package): before 5.4.0-1025.25~18.04.1

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4525-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Time-of-check Time-of-use (TOCTOU) Race Condition

EUVDB-ID: #VU51433

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25212

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a TOCTOU mismatch in the NFS client code in the Linux kernel. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 20.04

linux-image-virtual (Ubuntu package): before 5.4.0.48.51

linux-image-raspi2 (Ubuntu package): before 5.4.0.1019.54

linux-image-raspi (Ubuntu package): before 5.4.0.1019.54

linux-image-oracle (Ubuntu package): before 5.4.0.1025.9

linux-image-oem-osp1 (Ubuntu package): before 5.4.0.48.51

linux-image-oem (Ubuntu package): before 5.4.0.48.51

linux-image-lowlatency (Ubuntu package): before 5.4.0.48.51

linux-image-kvm (Ubuntu package): before 5.4.0.1024.22

linux-image-gke (Ubuntu package): before 5.4.0.1025.22

linux-image-generic-lpae (Ubuntu package): before 5.4.0.48.51

linux-image-generic (Ubuntu package): before 5.4.0.48.51

linux-image-gcp (Ubuntu package): before 5.4.0.1025.13

linux-image-azure (Ubuntu package): before 5.4.0.1026.9

linux-image-aws (Ubuntu package): before 5.4.0.1025.10

linux-image-5.4.0-1024-kvm (Ubuntu package): before 5.4.0-1024.24

linux-image-raspi-hwe-18.04 (Ubuntu package): before 5.4.0.1019.23

linux-image-5.4.0-1019-raspi (Ubuntu package): before 5.4.0-1019.21~18.04.1

linux-image-virtual-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-snapdragon-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-lowlatency-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-lpae-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-generic-hwe-18.04 (Ubuntu package): before 5.4.0.48.52~18.04.42

linux-image-5.4.0-48-lowlatency (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic-lpae (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-48-generic (Ubuntu package): before 5.4.0-48.52~18.04.1

linux-image-5.4.0-1026-azure (Ubuntu package): before 5.4.0-1026.26~18.04.1

linux-image-5.4.0-1025-oracle (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-gcp (Ubuntu package): before 5.4.0-1025.25~18.04.1

linux-image-5.4.0-1025-aws (Ubuntu package): before 5.4.0-1025.25~18.04.1

CPE2.3 External links

https://ubuntu.com/security/notices/USN-4525-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###