UBUNTU-CVE-2025-14282

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-14282

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14282.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-14282

Upstream

CVE-2025-14282

Published

2026-02-12T22:16:00Z

Modified

2026-04-27T18:51:28.327251Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's files. With the recent ability of also using unix domain sockets as the forwarding destination any user able to log in via ssh can connect to any unix socket with the root's credentials, bypassing both file system restrictions and any SOPEERCRED / SOPASSCRED checks performed by the peer.

References

Affected packages

Ubuntu:16.04:LTS

dropbear

Package

Name: dropbear
Purl: pkg:deb/ubuntu/dropbear@2016.72-1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2014.*

2014.65-1ubuntu2

2015.*

2015.68-1

2015.70-1

2015.71-1

2016.*

2016.72-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dropbear",
            "binary_version": "2016.72-1"
        },
        {
            "binary_name": "dropbear-bin",
            "binary_version": "2016.72-1"
        },
        {
            "binary_name": "dropbear-initramfs",
            "binary_version": "2016.72-1"
        },
        {
            "binary_name": "dropbear-run",
            "binary_version": "2016.72-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14282.json"

Ubuntu:22.04:LTS

dropbear

Package

Name: dropbear
Purl: pkg:deb/ubuntu/dropbear@2020.81-5ubuntu0.1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2020.*

2020.81-3

2020.81-4

2020.81-5

2020.81-5ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dropbear",
            "binary_version": "2020.81-5ubuntu0.1"
        },
        {
            "binary_name": "dropbear-bin",
            "binary_version": "2020.81-5ubuntu0.1"
        },
        {
            "binary_name": "dropbear-initramfs",
            "binary_version": "2020.81-5ubuntu0.1"
        },
        {
            "binary_name": "dropbear-run",
            "binary_version": "2020.81-5ubuntu0.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14282.json"

Ubuntu:24.04:LTS

dropbear

Package

Name: dropbear
Purl: pkg:deb/ubuntu/dropbear@2022.83-4?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2022.*

2022.83-2

2022.83-3

2022.83-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dropbear",
            "binary_version": "2022.83-4"
        },
        {
            "binary_name": "dropbear-bin",
            "binary_version": "2022.83-4"
        },
        {
            "binary_name": "dropbear-initramfs",
            "binary_version": "2022.83-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14282.json"

Ubuntu:25.10

dropbear

Package

Name: dropbear
Purl: pkg:deb/ubuntu/dropbear@2025.88-2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2024.*

2024.86-2

2025.*

2025.88-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dropbear",
            "binary_version": "2025.88-2"
        },
        {
            "binary_name": "dropbear-bin",
            "binary_version": "2025.88-2"
        },
        {
            "binary_name": "dropbear-initramfs",
            "binary_version": "2025.88-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14282.json"

Ubuntu:26.04

dropbear

Package

Name: dropbear
Purl: pkg:deb/ubuntu/dropbear@2025.89-1?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2025.*

2025.88-2

2025.89-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dropbear",
            "binary_version": "2025.89-1"
        },
        {
            "binary_name": "dropbear-bin",
            "binary_version": "2025.89-1"
        },
        {
            "binary_name": "dropbear-initramfs",
            "binary_version": "2025.89-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14282.json"

Ubuntu:Pro:18.04:LTS

dropbear

Package

Name: dropbear
Purl: pkg:deb/ubuntu/dropbear@2017.75-3ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2017.*

2017.75-2

2017.75-3build1

2017.75-3ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dropbear",
            "binary_version": "2017.75-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "dropbear-bin",
            "binary_version": "2017.75-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "dropbear-initramfs",
            "binary_version": "2017.75-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "dropbear-run",
            "binary_version": "2017.75-3ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14282.json"

Ubuntu:Pro:20.04:LTS

dropbear

Package

Name: dropbear
Purl: pkg:deb/ubuntu/dropbear@2019.78-2ubuntu0.1~esm1?arch=source&distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2019.*

2019.78-2build1

2019.78-2ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dropbear",
            "binary_version": "2019.78-2ubuntu0.1~esm1"
        },
        {
            "binary_name": "dropbear-bin",
            "binary_version": "2019.78-2ubuntu0.1~esm1"
        },
        {
            "binary_name": "dropbear-initramfs",
            "binary_version": "2019.78-2ubuntu0.1~esm1"
        },
        {
            "binary_name": "dropbear-run",
            "binary_version": "2019.78-2ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14282.json"