CVE reports

The Common Vulnerabilities and Exposures (CVE) system is used to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. Canonical keeps track of all CVEs affecting Ubuntu, and releases a security notice when an issue is fixed. You can find additional guidance for high-profile vulnerabilities in the Ubuntu Vulnerability Knowledge Base section

Search CVEs

By Ubuntu release

Recent CVEs

CVE-2025-32463

High priority
Fixed

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

1 affected package

sudo

CVE-2025-32462

High priority
Fixed

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

1 affected package

sudo

CVE-2025-53391

High priority
Needs evaluation

The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.

1 affected package

zulucrypt

CVE-2025-6019

High priority

Some fixes available 12 of 14

A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way...

2 affected packages

libblockdev, udisks2

CVE-2025-3887

High priority

Some fixes available 5 of 7

GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this...

1 affected package

gst-plugins-bad1.0

Resources

Join the discussion

Ubuntu Pro

10-year security coverage for Ubuntu and 23,000 open-source applications and toolchains.

Get Ubuntu Pro

From our blog