SB2026042838 - Ubuntu update for glance

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042838

SB2026042838 - Ubuntu update for glance

Published: April 28, 2026

Security Bulletin ID SB2026042838
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2024-32498)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to insufficient validation of file paths inside a QCOW2 image. A remote user can supply a specially crafted QCOW2 image that references a specific data file path and view the contents of the file.


2) Input validation error (CVE-ID: CVE-2026-34881)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote user to access internal services.

The vulnerability exists due to improper input validation in the web-download import method when following HTTP redirects. A remote user can provide a URL that passes validation and redirects to an internal or disallowed resource to access internal services.

Only the glance image import functionality is affected.


Remediation

Install update from vendor's website.

References