CVE-2025-14551

| EUVD-2025-209375 LOW
2026-04-09 canonical GHSA-5p47-92qw-3767
2.7
CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 09, 2026 - 15:30 euvd
EUVD-2025-209375
Analysis Generated
Apr 09, 2026 - 15:30 vuln.today
Patch Released
Apr 09, 2026 - 15:30 nvd
Patch available
CVE Published
Apr 09, 2026 - 15:03 nvd
LOW 2.7

Tags

Denial Of Service Ubuntu

Description

In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.

Analysis

Ubuntu Subiquity 24.04.4 leaks sensitive user credentials in crash report logs submitted to Launchpad during installation failures, potentially exposing plaintext Wi-Fi passwords and other credentials to unauthorized third parties. The vulnerability affects multiple Ubuntu versions (24.04.4, 25.04, and 25.10) and requires user interaction (submission of a crash report) but carries low real-world exploitation risk due to a CVSS score of 2.7 and absence of active exploitation signals. No public exploit code is known; vendor-released patches are available.

Technical Context

Subiquity is Ubuntu's server installation framework responsible for automated OS deployment and system configuration. The vulnerability stems from CWE-1258 (Exposure of Sensitive Information Through Query Strings or Log Files), where sensitive credentials-specifically plaintext Wi-Fi passwords and other user-provided secrets-are inadvertently included in diagnostic logs generated during installation failures. When a user opts to report a crash to Launchpad's bug-tracking system, these logs are attached and transmitted, exposing credentials to Canonical infrastructure and potentially to public bug reports. The root cause is insufficient credential sanitization in the log generation and packaging logic before submission.

Affected Products

Ubuntu Subiquity versions 24.04.4, 25.04, and 25.10 are affected. The CPE identifier cpe:2.3:a:canonical:ubuntu:*:*:*:*:*:*:*:* reflects the broad Ubuntu ecosystem impact. According to ENISA EUVD-2025-209375 data, affected versions include Ubuntu 0 ≤ 25.04, Ubuntu 0 ≤ 25.10, and Ubuntu 0 ≤ 24.04.4, indicating that 24.04.4 and later patch levels in the 24.04, 25.04, and 25.10 release series require remediation. Canonical's vulnerability reporting confirms Subiquity as the affected component within Ubuntu.

Remediation

Vendor-released patches are available via GitHub pull requests #2358 and #2357 in the canonical/subiquity repository. Users should update Subiquity to a patched version released after these PRs were merged; exact version numbers are not specified in available data, so users should reference Canonical's Ubuntu security advisories for the definitive patched release version for their Ubuntu variant (Desktop, Server, or Cloud Images). As an interim measure before patching, users experiencing installation failures should avoid submitting crash reports to Launchpad if they are concerned about credential exposure; instead, file manual bug reports without attaching diagnostic logs. Desktop and Server users can check for updates via standard package managers (apt-get update && apt-upgrade) once patches are released through Canonical repositories. For air-gapped or managed deployments, coordinate patching through configuration management tools or Ubuntu Pro subscriptions.

Priority Score

14
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +14
POC: 0

Share

CVE-2025-14551 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy