Is there a patch available for CVE-2025-14551?

Yes, a patch is available for CVE-2025-14551. Update the affected software to the latest version immediately.

Ubuntu CVE-2025-14551

Q: What is the CVSS score of CVE-2025-14551?

CVE-2025-14551 has a CVSS 4.0 base score of 2.7 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-209375 LOW

Exposure of Sensitive System Information Due to Uncleared Debug Information (CWE-1258)

2026-04-09 canonical

GHSA-5p47-92qw-3767

Denial Of Service Ubuntu

2.7

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 09, 2026 - 15:30 euvd

EUVD-2025-209375

Analysis Generated

Apr 09, 2026 - 15:30 vuln.today

Patch released

Apr 09, 2026 - 15:30 nvd

Patch available

CVE Published

Apr 09, 2026 - 15:03 nvd

LOW 2.7

DescriptionNVD

In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.

AnalysisAI

Ubuntu Subiquity 24.04.4 leaks sensitive user credentials in crash report logs submitted to Launchpad during installation failures, potentially exposing plaintext Wi-Fi passwords and other credentials to unauthorized third parties. The vulnerability affects multiple Ubuntu versions (24.04.4, 25.04, and 25.10) and requires user interaction (submission of a crash report) but carries low real-world exploitation risk due to a CVSS score of 2.7 and absence of active exploitation signals. No public exploit code is known; vendor-released patches are available.

Technical ContextAI

Subiquity is Ubuntu's server installation framework responsible for automated OS deployment and system configuration. The vulnerability stems from CWE-1258 (Exposure of Sensitive Information Through Query Strings or Log Files), where sensitive credentials-specifically plaintext Wi-Fi passwords and other user-provided secrets-are inadvertently included in diagnostic logs generated during installation failures. When a user opts to report a crash to Launchpad's bug-tracking system, these logs are attached and transmitted, exposing credentials to Canonical infrastructure and potentially to public bug reports. The root cause is insufficient credential sanitization in the log generation and packaging logic before submission.

RemediationAI

Vendor-released patches are available via GitHub pull requests #2358 and #2357 in the canonical/subiquity repository. Users should update Subiquity to a patched version released after these PRs were merged; exact version numbers are not specified in available data, so users should reference Canonical's Ubuntu security advisories for the definitive patched release version for their Ubuntu variant (Desktop, Server, or Cloud Images). As an interim measure before patching, users experiencing installation failures should avoid submitting crash reports to Launchpad if they are concerned about credential exposure; instead, file manual bug reports without attaching diagnostic logs. Desktop and Server users can check for updates via standard package managers (apt-get update && apt-upgrade) once patches are released through Canonical repositories. For air-gapped or managed deployments, coordinate patching through configuration management tools or Ubuntu Pro subscriptions.

CVE-2025-14551 vulnerability details – vuln.today

Back