Is there a patch available for CVE-2025-15480?

Yes, a patch is available for CVE-2025-15480. Update the affected software to the latest version immediately.

Ubuntu CVE-2025-15480

Q: What is the CVSS score of CVE-2025-15480?

CVE-2025-15480 has a CVSS 4.0 base score of 2.7 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-209377 LOW

Exposure of Sensitive System Information Due to Uncleared Debug Information (CWE-1258)

2026-04-09 canonical

Denial Of Service Ubuntu

2.7

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 09, 2026 - 15:30 euvd

EUVD-2025-209377

Analysis Generated

Apr 09, 2026 - 15:30 vuln.today

Patch released

Apr 09, 2026 - 15:30 nvd

Patch available

CVE Published

Apr 09, 2026 - 15:02 nvd

LOW 2.7

DescriptionNVD

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.

AnalysisAI

ubuntu-desktop-provision version 24.04.4 leaks user password hashes in crash report logs submitted to Launchpad during installation failures. An unauthenticated remote attacker can obtain sensitive credentials if a user opts to report the installation failure, requiring user interaction to trigger the vulnerability but resulting in direct exposure of authentication material. Patch available from Canonical via GitHub pull requests; EPSS and KEV status not actively exploited at time of analysis.

Technical ContextAI

ubuntu-desktop-provision is a desktop environment provisioning tool in Ubuntu responsible for system installation and configuration. The vulnerability stems from inadequate sanitization of diagnostic logs before transmission to Launchpad's bug reporting system (CWE-1258: Insertion of Sensitive Information into Log File). During installation failure scenarios, the application includes unfiltered user credentials-specifically password hashes-in crash report attachments. This occurs at the intersection of error handling, logging infrastructure, and third-party service integration, where sensitive material from configuration or credential stores is written to log files without redaction or filtering before external submission.

RemediationAI

Vendor-released patch available via GitHub pull requests #1400 and #1399 to canonical/ubuntu-desktop-provision; apply these patches immediately to affected systems. Users should upgrade ubuntu-desktop-provision to a patched version released after these PRs are merged and shipped in Ubuntu security updates. Check Canonical's security advisories (https://usn.ubuntu.com) for the specific patched package version number and apply via apt update && apt upgrade ubuntu-desktop-provision or full system updates. Workaround pending patch deployment: users experiencing installation failures should avoid submitting bug reports to Launchpad, or manually review and redact sensitive information from crash logs before submission. System administrators should monitor Launchpad bug reports submitted from affected Ubuntu versions and request users to re-file without sensitive credential data if encountered.

CVE-2025-15480 vulnerability details – vuln.today

Back