Any mid-level Ubuntu user knows that they release a new version of their operating system every six months, that every two years there is an LTS version, and that the kernel can take a long time to update. In fact, when it does, it does so in LTS versions if we don't follow a few steps like the ones in this article on how to keep it in Focal Fossa. The truth is that the kernel is updated, but to add security patches as they have done for all versions of Ubuntu which are now supported.
A few hours ago, Canonical published three USN reports, specifically the USN-5443-1, USN-5442-1 y USN-5444-1. The first of them affects all Ubuntu versions that are still supported, which are the recently released Ubuntu 22.04, the only non-LTS supported version, which is 21.10, and then 18.04 and 16.04, which is currently supported due to having entered its ESM phase, which allows it to continue to receive security patches.
Ubuntu updates its kernel for security
In the description of USN-5443-1, we read two failures:
(1)The Linux kernel's network scheduling and queuing subsystem did not perform reference counting correctly in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (2)The Linux kernel was not correctly enforcing seccomp restrictions in some situations. A local attacker could use this to bypass the intended seccomp sandbox restrictions.
About USN-5442-1, which only affects 20.04 and 18.04, three more bugs:
(1)The Network Queuing and Scheduling subsystem of the Linux kernel did not perform reference counting correctly in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (2)The io_uring subsystem of the Linux kernel contained an integer overflow. A local attacker could use it to cause a denial of service (system crash) or execute arbitrary code. (3)The Linux kernel was not correctly enforcing seccomp restrictions in some situations. A local attacker could use this to bypass the intended seccomp sandbox restrictions.
And about USN-5444-1, which affects Ubuntu 22.04 and 20.04;
The Network Queuing and Scheduling subsystem of the Linux kernel did not perform reference counting correctly in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
To avoid all these problems, the only thing that needs to be done is to update the kernel, and this can be done automatically updating with the update tool of any official flavor of Ubuntu. Once again, remember that it is worth having the operating system always well updated, at least with the latest security patches.