Ubuntu Users Get Another Major Kernel Update, Up to 15 Vulnerabilities Patched

Ubuntu Major Kernel Update

Canonical released today a new major Linux kernel update for all supported Ubuntu releases to address up to 15 security vulnerabilities affecting all supported kernel versions and flavors.

The new Linux kernel update patches five security vulnerabilities affecting all supported Ubuntu releases, including Ubuntu 21.10 (Impish Indri), Ubuntu 20.04 LTS (Focal Fossa), and Ubuntu 18.04 LTS (Bionic Beaver), as well as the Ubuntu 16.04 and Ubuntu 14.04 ESM releases.

These include CVE-2021-22600, a double-free vulnerability discovered in Linux kernel’s Packet network protocol implementation, as well as CVE-2021-4083, a race condition discovered by Google Project Zero’s Jann Horn in the Unix domain socket implementation. Both issues could allow a local attacker to cause a denial of service (system crash) or possibly execute arbitrary code.

The same goes for CVE-2021-4155, a flaw discovered by Kirill Tkhai in the XFS file system implementation, which could allow a local attacker to expose sensitive information, CVE-2022-0330, a security issue discovered by Sushma Venkatesh Reddy in the Intel i915 graphics driver, which could allow a local attacker to cause a denial of service or execute arbitrary code, and CVE-2022-22942, a vulnerability discovered in the VMware Virtual GPU driver, which could allow a local attacker to expose sensitive information or gain administrative privileges.

Only for Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, the new kernel update also addresses CVE-2021-43975, a flaw discovered by Brendan Dolan-Gavitt in the aQuantia AQtion Ethernet device driver that could allow a local attacker with the ability to control an emulated device to cause a denial of service (system crash) or execute arbitrary code.

For Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, as well as Ubuntu 18.04 LTS systems running Linux kernel 4.15, the new kernel update addresses seven other security vulnerabilities, including CVE-2021-28711, CVE-2021-28712, CVE-2021-28713, CVE-2021-28714, and CVE-2021-28715, five flaws discovered by Jürgen Groß in the Xen network backend driver, which could allow an attacker in a guest virtual machine cause a denial of service (excessive kernel memory consumption) in another guest VM or in the network backend domain.

The same goes for CVE-2021-39685, an out-of-bounds reads or writes vulnerability discovered by Szymon Heidrich in the USB Gadget subsystem, as well as CVE-2021-4202, a use-after-free vulnerability discovered by Lin Ma in the NFC Controller Interface (NCI) implementation. Both these issues could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code.

Canonical urges all Ubuntu users to update their installations to the new Linux kernel versions (linux-image-generic 5.13.0.30.40 for Ubuntu 21.10, linux-image-generic 5.4.0.100.113 for Ubuntu 20.04 LTS and 18.04 LTS, or linux-image-generic 4.15.0.169.158 for Ubuntu 18.04 LTS), which are already available in the stable repositories, as soon as possible. After a kernel update, you will need to reboot your installations for the patches to be correctly applied, as well as to rebuild and reinstall any third-party modules you might have installed.

The easiest way to update your Ubuntu system is to run the sudo apt update && sudo apt full-upgrade command in the Terminal app or another terminal emulator. Of course, you can also use the Software Updater graphical utility to install the new kernel versions and any other pending updates.

Last updated 7 months ago