Ubuntu USN · USN-8414-2

OpenSSL vulnerabilities

Published: Tue, 09 Jun 2026 18:29

CVE-2026-45447CVE-2026-34182CVE-2026-34180CVE-2026-42766CVE-2026-7383CVE-2026-9076

Summary

USN-8414-1 fixed several vulnerabilities in OpenSSL.

Details

USN-8414-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1 content parsing. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or obtain sensitive information. (CVE-2026-34180) Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could accept forged CMS AuthEnvelopedData messages. An attacker could possibly use this issue to bypass message authentication checks. (CVE-2026-34182) Mayank Jangid, Kushal Khemka, Hari Priandana, Bhabani Sankar Das, and Qifan Zhang discovered that OpenSSL had a possible NULL dereference in password- based CMS decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42766) Zhanpeng Liu, Guannan Wang, and Guancheng Li discovered that OpenSSL had a NULL pointer dereference in CRMF EncryptedValue decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42767) Thai Duong discovered that OpenSSL had a heap use-after-free in PKCS7_verify(). An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-45447) Zehua Qiao and Jinwen He discovered that OpenSSL had a possible heap buffer overflow in ASN.1 multibyte string conversion. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-7383) Bhabani Sankar Das discovered that OpenSSL had an out-of-bounds read in CMS password-based decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-9076)

Recommended actions per Ubuntu release

StackPatch playbook auto-generated per release codename and per affected package.

Ubuntu bionic

openssl→1.1.1-1ubuntu2.1~18.04.23+esm9apt_upgrade
Standard apt upgrade. Install 1.1.1-1ubuntu2.1~18.04.23+esm9 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl1.0→1.0.2n-1ubuntu5.13+esm5apt_upgrade
Standard apt upgrade. Install 1.0.2n-1ubuntu5.13+esm5 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl1.0
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-dev→1.1.1-1ubuntu2.1~18.04.23+esm9apt_upgrade
Standard apt upgrade. Install 1.1.1-1ubuntu2.1~18.04.23+esm9 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl-dev
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-doc→1.1.1-1ubuntu2.1~18.04.23+esm9apt_upgrade
Standard apt upgrade. Install 1.1.1-1ubuntu2.1~18.04.23+esm9 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl-doc
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl1.0-dev→1.0.2n-1ubuntu5.13+esm5apt_upgrade
Standard apt upgrade. Install 1.0.2n-1ubuntu5.13+esm5 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl1.0-dev
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl1.0.0→1.0.2n-1ubuntu5.13+esm5apt_upgrade
Standard apt upgrade. Install 1.0.2n-1ubuntu5.13+esm5 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl1.0.0
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl1.1→1.1.1-1ubuntu2.1~18.04.23+esm9apt_upgrade
Standard apt upgrade. Install 1.1.1-1ubuntu2.1~18.04.23+esm9 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl1.1
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl→1.1.1-1ubuntu2.1~18.04.23+esm9apt_upgrade
Standard apt upgrade. Install 1.1.1-1ubuntu2.1~18.04.23+esm9 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl1.0→1.0.2n-1ubuntu5.13+esm5apt_upgrade
Standard apt upgrade. Install 1.0.2n-1ubuntu5.13+esm5 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl1.0
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu focal

openssl→1.1.1f-1ubuntu2.24+esm4apt_upgrade
Standard apt upgrade. Install 1.1.1f-1ubuntu2.24+esm4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-dev→1.1.1f-1ubuntu2.24+esm4apt_upgrade
Standard apt upgrade. Install 1.1.1f-1ubuntu2.24+esm4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl-dev
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-doc→1.1.1f-1ubuntu2.24+esm4apt_upgrade
Standard apt upgrade. Install 1.1.1f-1ubuntu2.24+esm4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl-doc
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl1.1→1.1.1f-1ubuntu2.24+esm4apt_upgrade
Standard apt upgrade. Install 1.1.1f-1ubuntu2.24+esm4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl1.1
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl→1.1.1f-1ubuntu2.24+esm4apt_upgrade
Standard apt upgrade. Install 1.1.1f-1ubuntu2.24+esm4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu trusty

openssl→1.0.1f-1ubuntu2.27+esm14apt_upgrade
Standard apt upgrade. Install 1.0.1f-1ubuntu2.27+esm14 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-dev→1.0.1f-1ubuntu2.27+esm14apt_upgrade
Standard apt upgrade. Install 1.0.1f-1ubuntu2.27+esm14 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl-dev
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-doc→1.0.1f-1ubuntu2.27+esm14apt_upgrade
Standard apt upgrade. Install 1.0.1f-1ubuntu2.27+esm14 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl-doc
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl1.0.0→1.0.1f-1ubuntu2.27+esm14apt_upgrade
Standard apt upgrade. Install 1.0.1f-1ubuntu2.27+esm14 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl1.0.0
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl→1.0.1f-1ubuntu2.27+esm14apt_upgrade
Standard apt upgrade. Install 1.0.1f-1ubuntu2.27+esm14 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu xenial

openssl→1.0.2g-1ubuntu4.20+esm16apt_upgrade
Standard apt upgrade. Install 1.0.2g-1ubuntu4.20+esm16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-dev→1.0.2g-1ubuntu4.20+esm16apt_upgrade
Standard apt upgrade. Install 1.0.2g-1ubuntu4.20+esm16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl-dev
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-doc→1.0.2g-1ubuntu4.20+esm16apt_upgrade
Standard apt upgrade. Install 1.0.2g-1ubuntu4.20+esm16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl-doc
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl1.0.0→1.0.2g-1ubuntu4.20+esm16apt_upgrade
Standard apt upgrade. Install 1.0.2g-1ubuntu4.20+esm16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libssl1.0.0
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl→1.0.2g-1ubuntu4.20+esm16apt_upgrade
Standard apt upgrade. Install 1.0.2g-1ubuntu4.20+esm16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssl
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Are YOU affected by USN-8414-2?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8414-2 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash

Form-based quickscan Read the bash source first

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.

Buy lifetime →See StackPatch →Live audit log →