Home / mailingsPDF  

[USN-8413-1] Cyborg vulnerabilities

Posted on 09 June 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8413-1
June 09, 2026

cyborg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10

Summary:

Several security issues were fixed in Cyborg.

Software Description:
- cyborg: OpenStack Acceleration as a Service

Details:

It was discovered that Cyborg did not properly enforce project ownership in
the Accelerator Request (ARQ) API. An authenticated user could possibly use
this issue to delete ARQs bound to other projects' instances, resulting in
a cross-tenant denial of service. (CVE-2026-40214)

It was discovered that Cyborg used a permissive default policy that
authorized any request carrying a valid authentication token, regardless of
roles or scope, for multiple API endpoints. An authenticated user could
possibly use this issue to perform unauthorized actions, such as
reprogramming FPGA bitstreams on arbitrary compute nodes. (CVE-2026-40213)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
cyborg-agent 16.0.0-2ubuntu0.1
cyborg-api 16.0.0-2ubuntu0.1
cyborg-common 16.0.0-2ubuntu0.1
cyborg-conductor 16.0.0-2ubuntu0.1
python3-cyborg 16.0.0-2ubuntu0.1

Ubuntu 25.10
cyborg-agent 14.0.0-3+deb13u1build0.25.10.1
cyborg-api 14.0.0-3+deb13u1build0.25.10.1
cyborg-common 14.0.0-3+deb13u1build0.25.10.1
cyborg-conductor 14.0.0-3+deb13u1build0.25.10.1
python3-cyborg 14.0.0-3+deb13u1build0.25.10.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8413-1
CVE-2026-40213, CVE-2026-40214

Package Information:
https://launchpad.net/ubuntu/+source/cyborg/16.0.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/cyborg/14.0.0-3+deb13u1build0.25.10.1

--===============5622045573406348150==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :