Ubuntu alert USN-8300-1 (ngtcp2)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8300-1] ngtcp2 vulnerability | |
| Date: | Mon, 25 May 2026 14:45:27 +0000 | |
| Message-ID: | <E1wRWYZ-0007pU-2Y@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-8300-1 May 25, 2026 ngtcp2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: ngtcp2 could be made to run programs as your login if it received specially crafted network traffic when qlog was enabled. Software Description: - ngtcp2: RFC9000 QUIC protocol implementation Details: Zou Dikai discovered that ngtcp2 serialized peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog was enabled, a remote attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS libngtcp2-16 1.16.0-1ubuntu0.1 libngtcp2-crypto-gnutls-dev 1.16.0-1ubuntu0.1 libngtcp2-crypto-gnutls8 1.16.0-1ubuntu0.1 libngtcp2-crypto-ossl-dev 1.16.0-1ubuntu0.1 libngtcp2-crypto-ossl0 1.16.0-1ubuntu0.1 libngtcp2-dev 1.16.0-1ubuntu0.1 Ubuntu 25.10 libngtcp2-16 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-crypto-gnutls-dev 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-crypto-gnutls8 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-dev 1.11.0-1+deb13u1build0.25.10.1 ngtcp2-client 1.11.0-1+deb13u1build0.25.10.1 ngtcp2-server 1.11.0-1+deb13u1build0.25.10.1 Ubuntu 24.04 LTS libngtcp2-9 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-crypto-gnutls-dev 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-crypto-gnutls2 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-dev 0.12.1+dfsg-1+deb12u1build0.24.04.1 ngtcp2-client 0.12.1+dfsg-1+deb12u1build0.24.04.1 ngtcp2-server 0.12.1+dfsg-1+deb12u1build0.24.04.1 Ubuntu 22.04 LTS libngtcp2-0 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-crypto-gnutls-dev 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-crypto-gnutls0 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-dev 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro ngtcp2-client 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro ngtcp2-server 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8300-1 CVE-2026-40170 Package Information: https://launchpad.net/ubuntu/+source/ngtcp2/1.16.0-1ubunt... https://launchpad.net/ubuntu/+source/ngtcp2/1.11.0-1+deb1... https://launchpad.net/ubuntu/+source/ngtcp2/0.12.1+dfsg-1...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoUYHUACgkQcpJm3tlz hgEYehAAp0ifPhZ+dk5xjGVJOGCu0F0k9wLCUb5ITELoywoU7Qnv4AAzoU0QE5Ff iTcM4YXgfTEKs4BSRlEsVC6utSmoCRFupdZEbh6kXC8oKM/vaNMRYFE3XMvE4Xw0 dMl5e7lS3F8GuUJ1V51agLgJZiumzMkmsFtwN48doGUFqdg0wcTeUekiE3VlBkrE AdBQnDMYNW41rms0hPfddMG2YM/eq06qsiQshcGCULCM25I+asynblgPaCrkS/7A hOO18GKbbMNoUWxIku1OOJsfJMgArU5vq34B6L3ijJqbfInyG1WpYEKhgu5kcHfK xGJlT6N3cmr07x/RWb4BEAhMgNNg0fUg750j00pE7YinCylul9HOLwKHZqNkOLtN 23X2GWLWtYgFWHKelrYUllS24+dqtKpeey2TcKw6uO8nsomtuDUvSlw5PqwWOofy IMfVj873nmjcWlMK3qvUmRfKD9h1w9VB57Mhvym2rNvQ3x6kg+Dsg32bnnoU82F7 VTKOO3TDB/aoIVKqX/VFM1pgTP5snhmc3AWOdFEmbAO9DS+cpSeU1PO6WQIc7ceu 1J14p1e2fRl5QC5OxSfIBPq9uutoqZ38UgHvhgVk0ceynv2irsMnKk+Jl0X8ut9Z zaYxAevP+tQOzTvB5kzWYz0mUU/qvjoDgsozIXemT4M89NXvnDg= =naRG -----END PGP SIGNATURE-----