Description
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.
Published: 2026-04-09
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure
Action: Patch Now
AI Analysis

Impact

A flaw in ubuntu-desktop-provision allows the inclusion of a user’s password hash in crash‑report logs when an installation fails and a bug report is submitted to Launchpad. The weakness stems from improper handling of credential information during crash reporting, corresponding to CWE‑1258. If the log files become accessible, an attacker could obtain hashed credentials, compromising account security.

Affected Systems

Canonical Ubuntu’s ubuntu‑desktop‑provision package, version 24.04.4, is affected on Ubuntu 24.04 LTS desktop installations. No other versions or platforms are listed in the advisory.

Risk and Exploitability

The metric score of 2.7 indicates low severity. No exploitation probability score is available, and the vulnerability is not listed in the KEV catalog. The attack requires a user to trigger a crash during installation, submit a bug report, and then obtain the attached log file from Launchpad or the local system. Thus, exploitation depends on obtaining the crash log, which may be restricted to the local user or an entity with access to the Launchpad account. The likely attack vector is therefore indirect and limited.

Generated by OpenCVE AI on April 9, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest ubuntu‑desktop‑provision package (24.04.5 or newer).
  • Disable crash reporting or configure it to omit sensitive data from logs during failure.

Generated by OpenCVE AI on April 9, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Canonical ubuntu Desktop Provision
CPEs cpe:2.3:a:canonical:ubuntu_desktop_provision:24.04.4:*:*:*:*:*:*:*
Vendors & Products Canonical ubuntu Desktop Provision
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical ubuntu
Vendors & Products Canonical
Canonical ubuntu

Thu, 09 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.
Title Senstive information disclosure was affecting ubuntu-desktop-provision
Weaknesses CWE-1258
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U'}

Subscriptions

Canonical Ubuntu Ubuntu Desktop Provision
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-10T13:57:17.350Z

Reserved: 2026-01-07T14:28:47.147Z

Link: CVE-2025-15480

cve-icon Vulnrichment

Updated: 2026-04-10T13:56:58.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T16:16:25.250

Modified: 2026-04-17T20:18:08.243

Link: CVE-2025-15480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:30Z

Weaknesses