Home / mailings [USN-8417-1] Tomcat vulnerabilities
Posted on 10 June 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8417-1
June 10, 2026
tomcat9, tomcat10 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Tomcat.
Software Description:
- tomcat10: Servlet and JSP engine
- tomcat9: Servlet and JSP engine
Details:
It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)
It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)
It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could use this issue to obtain
sensitive credentials. (CVE-2026-42498)
It was discovered that Tomcat incorrectly handled digest
authentication. A remote attacker could possibly use this issue to
bypass authentication restrictions. (CVE-2026-43512)
It was discovered that Tomcat incorrectly handled case sensitivity
in LockOutRealm. A remote attacker could possibly use this issue to
bypass account lockout protections and obtain sensitive information.
(CVE-2026-43513)
It was discovered that Tomcat incorrectly handled authorization
when multiple method constraints defined the same HTTP method. A
remote attacker could possibly use this issue to bypass
authorization restrictions. (CVE-2026-43515)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libtomcat10-embed-java 10.1.40-1ubuntu1.26.04.1
libtomcat10-java 10.1.40-1ubuntu1.26.04.1
libtomcat9-java 9.0.115-1ubuntu0.1
tomcat10 10.1.40-1ubuntu1.26.04.1
Ubuntu 25.10
libtomcat10-embed-java 10.1.40-1ubuntu1.25.10.1
libtomcat10-java 10.1.40-1ubuntu1.25.10.1
libtomcat9-java 9.0.95-1ubuntu1.1
tomcat10 10.1.40-1ubuntu1.25.10.1
Ubuntu 24.04 LTS
libtomcat10-embed-java 10.1.16-1ubuntu0.1~esm4
Available with Ubuntu Pro
libtomcat10-java 10.1.16-1ubuntu0.1~esm4
Available with Ubuntu Pro
libtomcat9-java 9.0.70-2ubuntu0.1+esm3
Available with Ubuntu Pro
tomcat10 10.1.16-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libtomcat9-embed-java 9.0.58-1ubuntu0.2+esm4
Available with Ubuntu Pro
libtomcat9-java 9.0.58-1ubuntu0.2+esm4
Available with Ubuntu Pro
tomcat9 9.0.58-1ubuntu0.2+esm4
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libtomcat9-embed-java 9.0.31-1ubuntu0.9+esm3
Available with Ubuntu Pro
libtomcat9-java 9.0.31-1ubuntu0.9+esm3
Available with Ubuntu Pro
tomcat9 9.0.31-1ubuntu0.9+esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libtomcat9-embed-java 9.0.16-3ubuntu0.18.04.2+esm8
Available with Ubuntu Pro
libtomcat9-java 9.0.16-3ubuntu0.18.04.2+esm8
Available with Ubuntu Pro
tomcat9 9.0.16-3ubuntu0.18.04.2+esm8
Available with Ubuntu Pro
After a standard system update you need to restart Tomcat to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8417-1
CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CVE-2026-43512,
CVE-2026-43513, CVE-2026-43515
Package Information:
https://launchpad.net/ubuntu/+source/tomcat10/10.1.40-1ubuntu1.26.04.1
https://launchpad.net/ubuntu/+source/tomcat9/9.0.115-1ubuntu0.1
https://launchpad.net/ubuntu/+source/tomcat10/10.1.40-1ubuntu1.25.10.1
https://launchpad.net/ubuntu/+source/tomcat9/9.0.95-1ubuntu1.1
--===============1660638549996956723==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
