On 24 February 2026 Canonical published security advisory USN-8059-1, another batch of fixes for the Linux kernel shipped by Ubuntu. It belongs to a string of kernel advisories Canonical pushed out across February (USN-8028-1, USN-8033-1, USN-8052-1 and USN-8059-1), which tells you something about how constant the security maintenance work on the system core really is.
What the advisory fixes
Canonical’s official wording is short: “Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.” That phrasing is generic on purpose, but the identifiers attached to the fix point at the SMB network subsystem, and more precisely at the in-kernel SMB server, ksmbd.
The referenced vulnerabilities are:
- CVE-2025-37899: a use-after-free flaw in ksmbd that fires during session logoff. The
sess->userobject can still be in use by another thread —say, when another connection sends a session setup request to bind to the session that is being freed— which leaves a pointer aimed at already-freed memory. Bugs like this can end in kernel memory corruption. - CVE-2025-22037: another issue in the same SMB network file system area.
Use-after-free bugs in kernel space are especially touchy. Depending on how the freed memory gets reused, they can stop at a denial of service (a system crash) or, in the worse cases, open the door to privilege escalation or code execution in the kernel context.
Who is affected
USN-8059-1 covers these branches:
- Ubuntu 24.04 LTS (Noble):
linux,linux-gkeop,linux-lowlatency,linux-oracleandlinux-raspi. - Ubuntu 22.04 LTS (Jammy):
linux-hwe-6.8andlinux-lowlatency-hwe-6.8.
The real risk swings a lot with how exposed each machine is. The ones in the line of fire are those running as an SMB server with ksmbd and accepting network connections, particularly if they are reachable from networks you do not control. On a desktop with no ksmbd active the vector loses most of its weight, though the advice to apply the update holds for everyone alike.
Severity
Canonical does not give a unified CVSS score in the advisory itself and sums up the impact generically as “system compromise.” Given what these flaws are (use-after-free in a kernel network service), they land in a high-importance range, which is how Canonical tags this kind of kernel update.
Mitigation and patch
The only thing Canonical recommends is to install the fixed kernel versions it has already published in its repositories. To update:
sudo apt update
sudo apt full-upgrade
sudo rebootTwo details from the advisory worth keeping in mind:
- You have to reboot the machine after updating so the new kernel loads.
- The advisory carries an ABI change: if you use third-party kernel modules (proprietary drivers, for instance), you will need to recompile and reinstall them once you update.
And as an extra step to shrink the attack surface, on servers that do not share files over SMB the sensible move is to keep ksmbd disabled and to lock down network access to the service with a firewall.
Source
- Ubuntu Security Notice USN-8059-1: https://ubuntu.com/security/notices/USN-8059-1
- CVE-2025-37899: https://nvd.nist.gov/vuln/detail/CVE-2025-37899
- CVE-2025-22037: https://nvd.nist.gov/vuln/detail/CVE-2025-22037