SB2026071433 - Ubuntu update for linux-aws



SB2026071433 - Ubuntu update for linux-aws

Published: July 14, 2026

Security Bulletin ID SB2026071433
CSH Severity
High
Patch available
YES
Number of vulnerabilities 22
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 9% Medium 55% Low 36%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 22 vulnerabilities.


1) Double free (CVE-ID: CVE-2026-43011)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to double free in x25_queue_rx_frame and x25_backlog_rcv when processing received x25 frames after alloc_skb failure. A local attacker can trigger the error path to cause a denial of service.


2) NULL pointer dereference (CVE-ID: CVE-2021-47202)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the of_thermal_get_temp(), of_thermal_set_emul_temp(), of_thermal_get_trend() and of_thermal_set_trip_temp() functions in drivers/thermal/of-thermal.c. A local user can perform a denial of service (DoS) attack.


3) Memory leak (CVE-ID: CVE-2024-56643)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the dccp_feat_change_recv() function in net/dccp/feat.c. A local user can perform a denial of service (DoS) attack.


4) Use After Free (CVE-ID: CVE-2026-23272)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.

The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling set element insertion in a full set. A local user can send a specially crafted request to trigger improper RCU handling, leading to a use-after-free condition.

Exploitation requires non-administrative local privileges and does not require user interaction. The vulnerability occurs during normal operation of netfilter rules with full sets.


5) Out-of-bounds read (CVE-ID: CVE-2026-23455)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in DecodeQ931() in the nf_conntrack_h323 netfilter component when parsing a crafted Q.931 packet with a zero UserUserIE length field. A remote attacker can send a specially crafted packet to disclose sensitive information.

The issue occurs because a 16-bit length value is decremented by 1 to skip the protocol discriminator byte, and an encoded length of 0 wraps to -1 and is then passed to DecodeH323_UserInformation() as a large value.


6) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to corrupt heap memory.

The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.

The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.


7) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.

The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.


8) Improper input validation (CVE-ID: CVE-2026-31637)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in rxkad_decrypt_ticket() when processing a malformed RXKAD RESPONSE ticket with a non-block-aligned length. A remote attacker can send a specially crafted response ticket to cause a denial of service.


9) Heap-based buffer overflow (CVE-ID: CVE-2026-31659)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in batadv_tt_prepare_tvlv_global_data() when processing an oversized global TT response from a remote originator. A remote attacker can advertise a large global TT to trigger a wrapped allocation and write past the end of the heap object to cause a denial of service or execute arbitrary code.


10) Out-of-bounds read (CVE-ID: CVE-2026-31682)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.


11) Improper input validation (CVE-ID: CVE-2026-31685)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.


12) Resource management error (CVE-ID: CVE-2026-43284)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber


The vulnerability allows a local user to escalate privileges on the system.

The xfrm-ESP Page-Cache Write vulnerability exists due to improper management of internal resources in esp_input() function in net/ipv4/esp4.c and esp6_input() function in net/ipv6/esp6.c. A local user can execute arbitrary code with root privileges. 

Note, this is one of two vulnerabilities reported as Dirty Frag.


13) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.

The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.


14) Out-of-bounds read (CVE-ID: CVE-2026-43038)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.

The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.


15) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-43383)

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to observable timing differences in tcp-md5 MAC comparison when verifying TCP MD5 signatures. A remote attacker can measure response timing during crafted network interactions to disclose sensitive information.


16) Integer overflow (CVE-ID: CVE-2026-43407)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an integer overflow leading to an out-of-bounds read in ceph_handle_auth_reply() when processing a CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted CEPH_MSG_AUTH_REPLY message to disclose sensitive information.


17) Double free (CVE-ID: CVE-2026-43414)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in qla24xx_els_dcmd_iocb() error handling when releasing fcport references. A local user can trigger an error condition to cause a denial of service.


18) Improper Initialization (CVE-ID: CVE-2026-45988)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper state management in RxRPC packet processing when handling RESPONSE or CHALLENGE packets after a temporary processing failure. A remote attacker can send a sequence of crafted packets that trigger packet reprocessing to cause a denial of service.

The issue can occur when a packet is left in a partially decrypted state and then requeued for retry.


19) Integer underflow (CVE-ID: CVE-2026-46043)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an integer underflow in rxe_rcv when processing a crafted RDMA packet with a forged BTH pad field and insufficient length. A remote attacker can send a specially crafted packet to cause a denial of service.

The issue occurs because payload_size() uses the attacker-controlled pad value and ICRC size when calculating the payload length.


20) Out-of-bounds read (CVE-ID: CVE-2026-46119)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in libceph auth message processing when handling a crafted CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted auth reply message to disclose sensitive information.

The issue occurs when a positive result value is misinterpreted as the size of the front segment to send, which can cause memory beyond the allocated buffer to be transmitted.


21) Improper input validation (CVE-ID: CVE-2026-46243)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to improper input validation in the cifs.spnego key description handling in fs/smb/client/cifs_spnego.c when processing userspace-created cifs.spnego keys through request_key(2) or add_key(2). A local user can supply a crafted cifs.spnego description to disclose sensitive information, modify data, or cause a denial of service.

The issue arises because authority-bearing fields such as pid, uid, creduid, and upcall_target may be treated by cifs.upcall as kernel-originating inputs.


22) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43503)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to modify the page cache of a root-owned read-only file.

The vulnerability exists due to improper state management in frag-transfer helpers in the Linux kernel networking stack when moving fragment descriptors between socket buffers. A local user can trigger packet processing through a duplicated skb path to modify the page cache of a root-owned read-only file.

One demonstrated path involves ESP input after a packet is duplicated through an nft 'dup to' rule or another nf_dup_ipv4() / xt_TEE caller.


Remediation

Install update from vendor's website.