Back

Critical Tomcat Vulnerabilities Affecting Multiple Ubuntu Releases

Severity: High (Score: 72.9)

Sources: Ubuntu, launchpad.net, Linuxsecurity

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: tomcat, update, issues, webdav, lock, propfind, request

Severity indicators: vulnerabilities, issue

Summary

On June 10, 2026, Ubuntu released USN-8417-1, addressing multiple vulnerabilities in Tomcat, including denial of service and authentication bypass issues. The vulnerabilities affect various Ubuntu versions, including 26.04 LTS and earlier releases. Key vulnerabilities include CVE-2026-41284, which allows excessive memory consumption through WebDAV requests, and CVE-2026-41293, which involves improper validation of HTTP/2 headers leading to potential crashes or arbitrary code execution. Other vulnerabilities include CVE-2026-42498, exposing sensitive credentials during WebSocket upgrades, and CVE-2026-43512, allowing unauthorized authentication. Administrators are advised to update their systems to mitigate these risks. The vulnerabilities were disclosed on May 12, 2026, and are considered critical due to their potential impact on system security. Key Points: • Multiple critical vulnerabilities in Tomcat affect various Ubuntu versions. • CVE-2026-41284 can lead to denial of service through unbounded WebDAV requests. • Immediate updates are required to mitigate risks associated with these vulnerabilities.

Detailed Analysis

**Impact** Multiple Ubuntu releases including 18.04 LTS through 26.04 LTS and their derivatives are affected, impacting organizations running Tomcat servlet engines in these environments. The vulnerabilities enable denial of service, unauthorized access to sensitive credentials, authentication bypass, and potential arbitrary code execution, risking operational disruption and data compromise across sectors relying on Java web applications. SUSE systems using Tomcat 9 are also impacted, indicating a broader Linux ecosystem exposure. **Technical Details** Exploits target improper size limits on WebDAV LOCK and PROPFIND request bodies (CVE-2026-41284), flawed HTTP/2 header validation (CVE-2026-41293), failure to clear HTTP authentication headers during WebSocket upgrades (CVE-2026-42498), digest authentication bypass (CVE-2026-43512), case sensitivity issues in LockOutRealm (CVE-2026-43513), and incorrect authorization with multiple method constraints (CVE-2026-43515). Attack vectors include remote HTTP/2 and WebDAV requests, WebSocket connection upgrades, and authentication mechanisms. No specific malware, tools, or IOCs were reported. **Recommended Response** Apply the updated Tomcat packages provided by Ubuntu and SUSE immediately, ensuring versions such as tomcat10 10.1.40-1ubuntu1.26.04.1 or tomcat9 9.0.118 are installed. Restart Tomcat services after patching to activate fixes. Harden authentication configurations and monitor for unusual HTTP/2, WebDAV, and WebSocket traffic patterns. No specific detection signatures or IOCs were provided; therefore, focus on patch management and traffic anomaly monitoring.

Source articles (4)

  • SUSE Tomcat Important Security Update for Seven Issues 2026-2299 — Linuxsecurity · 2026-06-08
    ## This update for tomcat fixes the following issues Update to Tomcat 9.0.118: * CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162). * CVE-2026-41293: HTTP/2 request hea…
  • USN-8417-1: Tomcat vulnerabilities — Ubuntu · 2026-06-10
    It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting…
  • 10.1.40-1ubuntu1.26.04.1 — launchpad.net · 2026-06-10
    Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Oracle, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contain…
  • Ubuntu 26.04 Tomcat Critical DoS and Authentication Bypass Vuln 8417 — Linuxsecurity · 2026-06-10
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several se…

Timeline

  • 2026-05-12 — CVE-2026-41284 published: Unbounded read in WebDAV LOCK and PROPFIND handling allows excessive memory consumption.
  • 2026-05-12 — CVE-2026-41293 published: Improper validation of HTTP/2 request headers can lead to crashes or arbitrary code execution.
  • 2026-05-12 — CVE-2026-42498 published: WebSocket authentication header exposure allows attackers to obtain sensitive credentials.
  • 2026-05-12 — CVE-2026-43514 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-43513 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-43512 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-43515 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-10 — Ubuntu releases USN-8417-1: Ubuntu addresses multiple Tomcat vulnerabilities affecting several LTS versions.

CVEs

  • CVE-2026-41284
  • CVE-2026-41293
  • CVE-2026-42498
  • CVE-2026-43512
  • CVE-2026-43513
  • CVE-2026-43514
  • CVE-2026-43515

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Tomcat (Platform)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed