Multiple OpenSSL Vulnerabilities Disclosed Affecting Ubuntu Systems

Severity: Medium (Score: 57.9)

Sources: Ubuntu, Linuxsecurity

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: openssl, ubuntu, vulnerabilities, usn-8414-1, update, usn-8414-2, fixed

Severity indicators: vulnerabilities

Summary

On June 9, 2026, multiple vulnerabilities in OpenSSL were disclosed, affecting various Ubuntu LTS versions including 14.04, 16.04, 18.04, 20.04, 25.10, and 26.04. Key vulnerabilities include a heap buffer over-read (CVE-2026-34180) that could lead to denial of service or information disclosure, and a flaw allowing forged CMS AuthEnvelopedData messages (CVE-2026-34182). Other issues include potential NULL pointer dereferences and memory growth problems. The vulnerabilities could be exploited by attackers to crash OpenSSL or bypass integrity checks. Affected systems are urged to apply the latest updates to mitigate these risks. The vulnerabilities were confirmed by multiple researchers and are now patched in the latest security updates. Key Points: • OpenSSL vulnerabilities disclosed on June 9, 2026, affecting multiple Ubuntu LTS versions. • Critical issues include CVE-2026-34180 and CVE-2026-34182, leading to potential denial of service. • Affected systems must update to the latest patches to mitigate risks from these vulnerabilities.

Detailed Analysis

**Impact** Multiple OpenSSL vulnerabilities affect Ubuntu systems across several versions, including 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 25.10, and 26.04 LTS. These issues expose systems to denial of service, information disclosure, and bypass of authentication or integrity checks. The affected sectors include any organizations relying on Ubuntu for secure communications, potentially impacting global operations due to Ubuntu's widespread use in enterprise and cloud environments. **Technical Details** Exploits target heap buffer over-reads (CVE-2026-34180), forged CMS AuthEnvelopedData messages (CVE-2026-34182), NULL pointer dereferences causing crashes (CVE-2026-42766, CVE-2026-42767), and memory growth leading to resource exhaustion (CVE-2026-34183). Additional vulnerabilities include Bleichenbacher oracles (CVE-2026-42768), heap use-after-free (CVE-2026-45447), and heap buffer overflows (CVE-2026-7383). Attack vectors involve crafted ASN.1 content, PKCS#12 files, QUIC protocol packets, and CMS decryption processes. No specific malware or IOCs are provided. **Recommended Response** Apply the latest Ubuntu security updates corresponding to your version, including USN-8414-1 for Ubuntu 25.10 and 26.04 LTS, and USN-8414-2 for Ubuntu 14.04 through 20.04 LTS. Reboot systems after patching to ensure full mitigation. Monitor for unusual OpenSSL crashes or resource consumption indicative of exploitation attempts. No additional detection signatures or IOCs are currently available.

Source articles (4)

• USN-8414-1: OpenSSL vulnerabilities — Ubuntu · 2026-06-09
  Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1 content parsing. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or obtai…
• USN-8414-2: OpenSSL vulnerabilities — Ubuntu · 2026-06-09
  USN-8414-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory det…
• Ubuntu 8414-2: OpenSSL — Linuxsecurity · 2026-06-09
  A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: USN-8414-1 fixed several vulnerabilities in…
• Ubuntu 26.04 LTS OpenSSL Critical Denial of Service Vuln USN-8414 — Linuxsecurity · 2026-06-09
  A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in OpenSSL. S…

Timeline

• 2026-06-09 — OpenSSL vulnerabilities disclosed: Multiple vulnerabilities affecting Ubuntu LTS versions were disclosed, including CVE-2026-34180 and CVE-2026-34182.
• 2026-06-09 — USN-8414-2 released: An update was released for Ubuntu 14.04, 16.04, 18.04, and 20.04 LTS addressing OpenSSL vulnerabilities.
• 2026-06-09 — CVE-2026-34180 published: Heap buffer over-read in OpenSSL could lead to denial of service or information disclosure.
• 2026-06-09 — CVE-2026-34182 published: Flaw in OpenSSL allows forged CMS AuthEnvelopedData messages, bypassing message authentication checks.
• 2026-06-09 — CVE-2026-45447 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-06-09 — CVE-2026-7383 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-06-09 — CVE-2026-42769 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-06-09 — CVE-2026-34183 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-06-09 — CVE-2026-9076 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-06-09 — CVE-2026-45445 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

• CVE-2026-34180
• CVE-2026-34181
• CVE-2026-34182
• CVE-2026-34183
• CVE-2026-42764
• CVE-2026-42766
• CVE-2026-42767
• CVE-2026-42768
• CVE-2026-42769
• CVE-2026-42770
• CVE-2026-45445
• CVE-2026-45446
• CVE-2026-45447
• CVE-2026-7383
• CVE-2026-9076

Related entities

• Data Breach (Attack Type)
• DDoS (Attack Type)
• Denial of Service (Attack Type)
• Cwe-122 - Heap-based Buffer Overflow (Cwe)
• Cwe-125 - Out-of-bounds Read (Cwe)
• CWE-200 - Exposure of Sensitive Information (Cwe)
• CWE-287 - Improper Authentication (Cwe)
• Cwe-416 - Use After Free (Cwe)
• Cwe-476 - NULL Pointer Dereference (Cwe)
• Openssl (Tool)
• Ubuntu (Company)