Home / mailingsPDF  

[USN-8450-1] Tomcat vulnerabilities

Posted on 18 June 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8450-1
June 18, 2026

tomcat11 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:
- tomcat11: Servlet and JSP engine

Details:

It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
possibly use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)

It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)

It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could possibly use this issue to obtain
sensitive credentials. (CVE-2026-42498)

It was discovered that Tomcat incorrectly handled authorization
when multiple method constraints defined the same HTTP method. A
remote attacker could possibly use this issue to bypass
authorization restrictions. (CVE-2026-43515)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
libtomcat11-embed-java 11.0.18-1ubuntu0.1~esm1
Available with Ubuntu Pro
libtomcat11-java 11.0.18-1ubuntu0.1~esm1
Available with Ubuntu Pro
tomcat11 11.0.18-1ubuntu0.1~esm1
Available with Ubuntu Pro

After a standard system update you need to restart Tomcat to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8450-1
CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CVE-2026-43515

--===============4844514888642129254==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :