UBUNTU-CVE-2026-42046

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-42046

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-42046

Upstream

CVE-2026-42046

Downstream

USN-8318-1

Related

USN-8318-1

Published

2026-05-11T22:22:00Z

Modified

2026-05-27T14:00:05.943514751Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an integer overflow vulnerability in libcaca's canvas import functionality allows an attacker to cause a controlled heap out-of-bounds write (heap overflow) by supplying a crafted file in the "caca" format. Depending on the build configuration and memory allocator, this may lead to memory corruption or remote code execution. This is the same vulnerability as CVE-2021-3410 but the fix at that time was not fully correct. Commit fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability.

References

Affected packages

Ubuntu:22.04:LTS

libcaca

Package

Name: libcaca
Purl: pkg:deb/ubuntu/libcaca?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.99.beta19-2.2ubuntu4.2

Affected versions

0.*

0.99.beta19-2.2ubuntu2

0.99.beta19-2.2ubuntu3

0.99.beta19-2.2ubuntu4

0.99.beta19-2.2ubuntu4.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "0.99.beta19-2.2ubuntu4.2",
            "binary_name": "caca-utils"
        },
        {
            "binary_version": "0.99.beta19-2.2ubuntu4.2",
            "binary_name": "libcaca0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json"

Ubuntu:24.04:LTS

libcaca

Package

Name: libcaca
Purl: pkg:deb/ubuntu/libcaca?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.99.beta20-4ubuntu0.2

Affected versions

0.*

0.99.beta20-3build1

0.99.beta20-4

0.99.beta20-4build1

0.99.beta20-4build2

0.99.beta20-4ubuntu0.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "0.99.beta20-4ubuntu0.2",
            "binary_name": "caca-utils"
        },
        {
            "binary_version": "0.99.beta20-4ubuntu0.2",
            "binary_name": "libcaca0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json"

Ubuntu:25.10

libcaca

Package

Name: libcaca
Purl: pkg:deb/ubuntu/libcaca?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.99.beta20-5ubuntu0.25.10.2

Affected versions

0.*

0.99.beta20-5

0.99.beta20-5ubuntu0.25.10.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "0.99.beta20-5ubuntu0.25.10.2",
            "binary_name": "caca-utils"
        },
        {
            "binary_version": "0.99.beta20-5ubuntu0.25.10.2",
            "binary_name": "libcaca0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json"

Ubuntu:26.04:LTS

libcaca

Package

Name: libcaca
Purl: pkg:deb/ubuntu/libcaca?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.99.beta20-6ubuntu2.1

Affected versions

0.*

0.99.beta20-5

0.99.beta20-6

0.99.beta20-6ubuntu1

0.99.beta20-6ubuntu2

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "0.99.beta20-6ubuntu2.1",
            "binary_name": "caca-utils"
        },
        {
            "binary_version": "0.99.beta20-6ubuntu2.1",
            "binary_name": "libcaca0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json"

Ubuntu:Pro:14.04:LTS

libcaca

Package

Name: libcaca
Purl: pkg:deb/ubuntu/libcaca?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.99.beta18-1ubuntu2

0.99.beta18-1ubuntu3

0.99.beta18-1ubuntu4

0.99.beta18-1ubuntu5

0.99.beta18-1ubuntu5.1

0.99.beta18-1ubuntu5.1+esm1

0.99.beta18-1ubuntu5.1+esm2

0.99.beta18-1ubuntu5.1+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.99.beta18-1ubuntu5.1+esm3",
            "binary_name": "caca-utils"
        },
        {
            "binary_version": "0.99.beta18-1ubuntu5.1+esm3",
            "binary_name": "libcaca0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json"

Ubuntu:Pro:16.04:LTS

libcaca

Package

Name: libcaca
Purl: pkg:deb/ubuntu/libcaca?arch=source&distro=esm-infra%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.99.beta19-2build2~gcc5.1

0.99.beta19-2build2~gcc5.2

0.99.beta19-2ubuntu0.16.04.1

0.99.beta19-2ubuntu0.16.04.2

0.99.beta19-2ubuntu0.16.04.2+esm1

0.99.beta19-2ubuntu0.16.04.2+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.99.beta19-2ubuntu0.16.04.2+esm2",
            "binary_name": "caca-utils"
        },
        {
            "binary_version": "0.99.beta19-2ubuntu0.16.04.2+esm2",
            "binary_name": "libcaca0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json"

Ubuntu:Pro:18.04:LTS

libcaca

Package

Name: libcaca
Purl: pkg:deb/ubuntu/libcaca?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.99.beta19-2build2~gcc5.2

0.99.beta19-2build2~gcc5.3

0.99.beta19-2ubuntu0.18.04.1

0.99.beta19-2ubuntu0.18.04.2

0.99.beta19-2ubuntu0.18.04.3

0.99.beta19-2ubuntu0.18.04.3+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.99.beta19-2ubuntu0.18.04.3+esm1",
            "binary_name": "caca-utils"
        },
        {
            "binary_version": "0.99.beta19-2ubuntu0.18.04.3+esm1",
            "binary_name": "libcaca0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json"

Ubuntu:Pro:20.04:LTS

libcaca

Package

Name: libcaca
Purl: pkg:deb/ubuntu/libcaca?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.99.beta19-2.1

0.99.beta19-2.1ubuntu1

0.99.beta19-2.1ubuntu1.20.04.1

0.99.beta19-2.1ubuntu1.20.04.2

0.99.beta19-2.1ubuntu1.20.04.2+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.99.beta19-2.1ubuntu1.20.04.2+esm1",
            "binary_name": "caca-utils"
        },
        {
            "binary_version": "0.99.beta19-2.1ubuntu1.20.04.2+esm1",
            "binary_name": "libcaca0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42046.json"