Description
In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.
Published: 2026-04-09
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information disclosure
Action: Patch
AI Analysis

Impact

A flaw in Ubuntu Subiquity version 24.04.4 allows the application to include user credentials in crash reports sent to Launchpad. When an installation fails and the user submits a bug report, Subiquity may attach logs that contain the user's plaintext Wi‑Fi password. This results in a low‑severity information disclosure that compromises the confidentiality of user credentials but does not affect system integrity or availability.

Affected Systems

Canonical’s Ubuntu Subiquity installer, specifically version 24.04.4, is affected. Users running this release on Ubuntu installations are vulnerable when they submit crash reports following a failed installation.

Risk and Exploitability

The CVSS score of 2.7 classifies this issue as low severity, and no exploit probability data is available. The vulnerability can only be exploited by a user who voluntarily submits a crash report after a failure, so the attack vector is user‑initiated and unlikely to be used for widespread compromise. It is not listed in the CISA KEV catalog. Overall, the risk is minimal but should be mitigated promptly to prevent accidental disclosure of sensitive credentials.

Generated by OpenCVE AI on April 9, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Subiquity to the latest patch or a newer release that fixes the crash‑report logging bug.

Generated by OpenCVE AI on April 9, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical ubuntu
Vendors & Products Canonical
Canonical ubuntu

Thu, 09 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.
Title Senstive information disclosure was affecting subiquity
Weaknesses CWE-1258
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U'}

Subscriptions

Canonical Ubuntu
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-10T13:54:40.369Z

Reserved: 2025-12-11T20:32:58.130Z

Link: CVE-2025-14551

cve-icon Vulnrichment

Updated: 2026-04-10T13:54:16.553Z

cve-icon NVD

Status : Received

Published: 2026-04-09T16:16:23.890

Modified: 2026-04-09T16:16:23.890

Link: CVE-2025-14551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:28Z

Weaknesses