Home / mailings [USN-8414-2] OpenSSL vulnerabilities
Posted on 09 June 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8414-2
June 09, 2026
openssl, openssl1.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
USN-8414-1 fixed several vulnerabilities in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-8414-1 fixed several vulnerabilities in OpenSSL. This update provides
the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1
content parsing. An attacker could possibly use this issue to cause OpenSSL
to crash, resulting in a denial of service, or obtain sensitive
information. (CVE-2026-34180)
Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could
accept forged CMS AuthEnvelopedData messages. An attacker could possibly
use this issue to bypass message authentication checks. (CVE-2026-34182)
Mayank Jangid, Kushal Khemka, Hari Priandana, Bhabani Sankar Das, and Qifan
Zhang discovered that OpenSSL had a possible NULL dereference in password-
based CMS decryption. An attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2026-42766)
Zhanpeng Liu, Guannan Wang, and Guancheng Li discovered that OpenSSL had a
NULL pointer dereference in CRMF EncryptedValue decryption. An attacker
could possibly use this issue to cause OpenSSL to crash, resulting in a
denial of service. (CVE-2026-42767)
Thai Duong discovered that OpenSSL had a heap use-after-free in
PKCS7_verify(). An attacker could possibly use this issue to cause OpenSSL
to crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-45447)
Zehua Qiao and Jinwen He discovered that OpenSSL had a possible heap buffer
overflow in ASN.1 multibyte string conversion. An attacker could possibly
use this issue to cause OpenSSL to crash, resulting in a denial of service,
or execute arbitrary code. (CVE-2026-7383)
Bhabani Sankar Das discovered that OpenSSL had an out-of-bounds read in CMS
password-based decryption. An attacker could possibly use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-9076)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
openssl 1.1.1f-1ubuntu2.24+esm4
Available with Ubuntu Pro
Ubuntu 18.04 LTS
openssl 1.1.1-1ubuntu2.1~18.04.23+esm9
Available with Ubuntu Pro
openssl1.0 1.0.2n-1ubuntu5.13+esm5
Available with Ubuntu Pro
Ubuntu 16.04 LTS
openssl 1.0.2g-1ubuntu4.20+esm16
Available with Ubuntu Pro
Ubuntu 14.04 LTS
openssl 1.0.1f-1ubuntu2.27+esm14
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8414-2
https://ubuntu.com/security/notices/USN-8414-1
CVE-2026-34180, CVE-2026-34182, CVE-2026-42766, CVE-2026-45447,
CVE-2026-7383, CVE-2026-9076
--===============0993453612197386406==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
