StackPatch is liveSee product

Back to CVE digest
Ubuntu USN · USN-8224-1

Linux kernel (BlueField) vulnerabilities

Published: Wed, 29 Apr 2026 13:36

CVE-2022-48875CVE-2026-23268CVE-2022-49046CVE-2024-49927CVE-2025-37849CVE-2025-21780CVE-2025-40215CVE-2026-23404CVE-2024-56640CVE-2026-23409CVE-2026-23410CVE-2026-23403CVE-2022-49698CVE-2026-23269CVE-2026-23407CVE-2024-46816CVE-2026-23406CVE-2025-40019CVE-2026-23060CVE-2026-23411CVE-2026-23074CVE-2025-21726CVE-2021-47599CVE-2026-23405

Summary

Several security issues were fixed in the Linux kernel.

Details

Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module (LSM). An unprivileged local attacker could use these issues to load, replace, and remove arbitrary AppArmor profiles causing denial of service, exposure of sensitive information (kernel memory), local privilege escalation, or possibly escape a container. (LP: #2143853, CVE-2026-23268, CVE-2026-23269, CVE-2026-23403, CVE-2026-23404, CVE-2026-23405, CVE-2026-23406, CVE-2026-23407, CVE-2026-23408, CVE-2026-23409, CVE-2026-23410, CVE-2026-23411) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - x86 architecture; - Cryptographic API; - GPU drivers; - I2C subsystem; - BTRFS file system; - XFRM subsystem; - Padata parallel execution mechanism; - IPv4 networking; - IPv6 networking; - MAC80211 subsystem; - Netfilter; - Network traffic control; - SMC sockets; (CVE-2021-47599, CVE-2022-48875, CVE-2022-49046, CVE-2022-49698, CVE-2024-46816, CVE-2024-49927, CVE-2024-56640, CVE-2025-21726, CVE-2025-21780, CVE-2025-37849, CVE-2025-40019, CVE-2025-40215, CVE-2026-23060, CVE-2026-23074)

Recommended actions per Ubuntu release

StackPatch playbook auto-generated per release codename and per affected package.

Ubuntu focal

  • linux-bluefield5.4.0-1116.123apt_upgrade

    Standard apt upgrade. Install 5.4.0-1116.123 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-bluefield

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • linux-bluefield5.4.0.1116.112apt_upgrade

    Standard apt upgrade. Install 5.4.0.1116.112 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-bluefield

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • linux-bluefield-5.45.4.0.1116.112apt_upgrade

    Standard apt upgrade. Install 5.4.0.1116.112 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-bluefield-5.4

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • linux-bluefield-headers-5.4.0-11165.4.0-1116.123apt_upgrade

    Standard apt upgrade. Install 5.4.0-1116.123 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-bluefield-headers-5.4.0-1116

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • linux-bluefield-tools-5.4.0-11165.4.0-1116.123apt_upgrade

    Standard apt upgrade. Install 5.4.0-1116.123 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-bluefield-tools-5.4.0-1116

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • linux-buildinfo-5.4.0-1116-bluefield5.4.0-1116.123apt_upgrade

    Standard apt upgrade. Install 5.4.0-1116.123 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-buildinfo-5.4.0-1116-bluefield

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • linux-headers-5.4.0-1116-bluefield5.4.0-1116.123kernel_reboot

    Kernel package — apt-upgrade then REBOOT to load the patched kernel.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-headers-5.4.0-1116-bluefield
sudo reboot

    Reboot is required. ~30-60s downtime; containers self-restart.

  • linux-headers-bluefield5.4.0.1116.112kernel_reboot

    Kernel package — apt-upgrade then REBOOT to load the patched kernel.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-headers-bluefield
sudo reboot

    Reboot is required. ~30-60s downtime; containers self-restart.

  • linux-headers-bluefield-5.45.4.0.1116.112kernel_reboot

    Kernel package — apt-upgrade then REBOOT to load the patched kernel.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-headers-bluefield-5.4
sudo reboot

    Reboot is required. ~30-60s downtime; containers self-restart.

  • linux-image-5.4.0-1116-bluefield5.4.0-1116.123kernel_reboot

    Kernel package — apt-upgrade then REBOOT to load the patched kernel.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-image-5.4.0-1116-bluefield
sudo reboot

    Reboot is required. ~30-60s downtime; containers self-restart.

  • linux-image-bluefield5.4.0.1116.112kernel_reboot

    Kernel package — apt-upgrade then REBOOT to load the patched kernel.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-image-bluefield
sudo reboot

    Reboot is required. ~30-60s downtime; containers self-restart.

  • linux-image-bluefield-5.45.4.0.1116.112kernel_reboot

    Kernel package — apt-upgrade then REBOOT to load the patched kernel.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-image-bluefield-5.4
sudo reboot

    Reboot is required. ~30-60s downtime; containers self-restart.

  • linux-image-unsigned-5.4.0-1116-bluefield5.4.0-1116.123kernel_reboot

    Kernel package — apt-upgrade then REBOOT to load the patched kernel.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-image-unsigned-5.4.0-1116-bluefield
sudo reboot

    Reboot is required. ~30-60s downtime; containers self-restart.

  • linux-modules-5.4.0-1116-bluefield5.4.0-1116.123kernel_reboot

    Kernel package — apt-upgrade then REBOOT to load the patched kernel.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-modules-5.4.0-1116-bluefield
sudo reboot

    Reboot is required. ~30-60s downtime; containers self-restart.

  • linux-tools-5.4.0-1116-bluefield5.4.0-1116.123apt_upgrade

    Standard apt upgrade. Install 5.4.0-1116.123 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-tools-5.4.0-1116-bluefield

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • linux-tools-bluefield5.4.0.1116.112apt_upgrade

    Standard apt upgrade. Install 5.4.0.1116.112 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-tools-bluefield

    Most apt upgrades restart their service automatically. needrestart lists anything else.

  • linux-tools-bluefield-5.45.4.0.1116.112apt_upgrade

    Standard apt upgrade. Install 5.4.0.1116.112 from the apt repo.

    sudo apt-get update
sudo apt-get install --only-upgrade -y linux-tools-bluefield-5.4

    Most apt upgrades restart their service automatically. needrestart lists anything else.

Are YOU affected by USN-8224-1?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8224-1 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash
Form-based quickscan Read the bash source first

References

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.

Buy lifetime →See StackPatch →Live audit log →