Back

Critical Vulnerability in Little CMS Affects Multiple Ubuntu Releases

Severity: High (Score: 70.5)

Sources: Linuxsecurity, Ubuntu

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: ubuntu, little, made, crash, critical, denial, service

Severity indicators: critical

Summary

A vulnerability in the Little CMS color management library has been discovered, affecting Ubuntu 14.04, 16.04, 18.04, and 20.04 LTS. The flaw allows attackers to crash the application or potentially execute arbitrary code by using specially crafted ICC profiles. This issue was highlighted in the Ubuntu Security Notice USN-8209-2, which follows the previous advisory USN-8209-1 that addressed related vulnerabilities. Users are advised to update their systems to the latest package versions to mitigate the risk. The vulnerability is classified under CVE-2026, and a standard system update will apply the necessary fixes. Ubuntu Pro users benefit from extended security coverage for these packages. Key Points: • Little CMS vulnerability allows denial of service and potential code execution. • Affected Ubuntu versions include 14.04, 16.04, 18.04, and 20.04 LTS. • Users should update to the latest package versions to mitigate risks.

Detailed Analysis

**Impact** Multiple Ubuntu Long Term Support (LTS) releases are affected, specifically versions 14.04, 16.04, 18.04, and 20.04, including their derivatives. The vulnerability allows attackers to cause denial of service or potentially execute arbitrary code by exploiting Little CMS’s handling of malformed ICC profiles. This impacts organizations using these Ubuntu releases across all sectors relying on color management libraries, with potential operational disruptions and security breaches. No specific geographic or sectoral data is provided. **Technical Details** The vulnerability involves Little CMS (lcms2) incorrectly processing specially crafted ICC profiles, enabling crashes or arbitrary code execution. The issue is tracked under Ubuntu Security Notice USN-8209-2 and CVE identifiers are implied but not explicitly stated. The attack vector is through opening malicious ICC profiles, affecting the color management library component. No malware, tools, or infrastructure details are provided, nor are any IOCs mentioned. **Recommended Response** Apply the security updates provided in USN-8209-2 immediately, which include patched versions of liblcms2 packages for Ubuntu 14.04, 16.04, 18.04, and 20.04 LTS. Systems enrolled in Ubuntu Pro can access extended security maintenance packages. Standard system updates will address the vulnerability. Monitor for abnormal crashes or execution behaviors related to ICC profile processing if patching is delayed.

Source articles (2)

  • USN-8209-2: Little CMS vulnerability — Ubuntu · 2026-06-01
    Little CMS could be made to crash or run programs if it opened a specially crafted ICC profile. USN-8209-1 fixed vulnerabilities in Little CMS. This update contains the fixes for Ubuntu 14.04 LTS, Ubu…
  • Ubuntu 20.04 LTS Little CMS Critical Denial Of Service CVE-2026 — Linuxsecurity · 2026-06-01
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Little CMS could be made to crash or run pro…

Timeline

  • 2026-06-01 — USN-8209-2 released: Ubuntu released an advisory addressing vulnerabilities in Little CMS affecting multiple LTS versions.
  • 2026-06-01 — CVE-2026 disclosed: A critical vulnerability in Little CMS was disclosed, allowing crashes and potential code execution.
  • Recent — Users advised to update systems: Users are encouraged to perform standard system updates to apply necessary patches for the vulnerability.

Related entities

  • DDoS (Attack Type)
  • Little CMS (Vulnerability)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed