Canonical
Ubuntu
Linux distribution for servers, desktops, and cloud workloads.
26.04
- Release date
- April 23, 2026
- Security status
- Current version appears affected by 2 high-severity CVEs.
Source
Public release notes are linked for the latest stored release.
Release history
See the latest published releases stored for this product.
| Version | Published | Notes |
|---|---|---|
| 26.04 | 2026-04-23 | Release Notes |
Vulnerability tracking
versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.
Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.
| CVE | Severity | Published | Status | Summary |
|---|---|---|---|---|
| CVE-2026-47333 | HIGH (7.8) | 2026-05-28 | Current versionnot affected | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine. Affected versions
Show 1 more
|
| CVE-2026-47331 | HIGH (7.8) | 2026-05-28 | Current versionnot affected | Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution. Affected versions
|
| CVE-2026-31431 | HIGH (7.8) | 2026-04-22 | Current versionaffected | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. Affected versions
Show 5 more
|
| CVE-2026-3888 | HIGH (7.8) | 2026-03-17 | Current versionaffected | Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS. Affected versions
|
| CVE-2026-3497 | HIGH (7.5) | 2026-03-12 | Current versionnot affected | Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration. Affected versions
Show 1 more
|