Today, May 16, 2016, Canonical published multiple security notices to inform the Ubuntu community about the availability of a new kernel update for their operating systems.

Fortunately, this is a minor Linux kernel update that patches only two vulnerabilities discovered recently in the Linux 4.4 LTS, Linux 4.2, and Linux 3.13 kernel packages of Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 15.10 (Wily Werewolf), and Ubuntu 14.04 LTS (Trusty Tahr) respectively.

The security issue that affects all three Ubuntu releases has been discovered by Philip Pettersson in Linux kernel's ASN.1 DER decoder, which was not capable of correctly processing certificate files that contained tags of indefinite length, thus allowing an unprivileged local attacker to crash the system by causing a denial of service or execute arbitrary code as root (system administrator).

Users are urged to update as soon as possible

On the other hand, the second kernel vulnerability affects only Ubuntu 16.04 LTS and Ubuntu 15.10 operating systems, has been discovered by David Matlack in Linux kernel's KVM (Kernel-based Virtual Machine) implementation, which failed to properly restrict variable MTRR (Memory Type Range Registers) in KVM guests, allowing a privileged user in a guest virtual machine to crash the system, gain root access, or expose sensitive information.

Both security issues are documented at CVE-2016-3713 and CVE-2016-0758, and Canonical urges all users of the Ubuntu 16.04 LTS, Ubuntu 15.10, and Ubuntu 14.04 LTS operating systems to update as soon as possible. The new kernel version, linux-image-4.4.0-22 (4.4.0-22.40) for Ubuntu 16.04 LTS, linux-image-4.2.0-36 (4.2.0-36.42) for Ubuntu 15.10, and linux-image-3.13.0-86 (3.13.0-86.131) for Ubuntu 14.04 LTS are now live in the main software repositories.