Canonical released USN-8245-1 on 7 May 2026, an Ubuntu kernel update that fixes more than a hundred vulnerabilities at once. The headline issue is EntrySign, tracked as CVE-2024-36347, a flaw in how some AMD CPUs verify microcode, found by Google’s security team.
What EntrySign is
Microcode is the internal firmware a CPU loads to work around hardware bugs or tweak its behaviour. On AMD processors built on the Zen architecture, the routine that checked the signature of that microcode used AES-CMAC as its verification function. AES-CMAC authenticates messages, but it isn’t a cryptographic hash suited to validating signatures. Because of that design mistake, an attacker who already holds elevated privileges can craft malicious microcode and get the CPU to accept it as genuine.
Once loaded, that microcode runs beneath the operating system, so it breaks both the integrity and the confidentiality of the machine. This isn’t a remote entry point: you need administrative access first. The danger lies in what comes next, since from there an attacker can undermine secure boot, confidential-computing environments such as SEV-SNP, or any guarantee that rests on the CPU’s chain of trust.
Who is affected
EntrySign is an AMD Zen processor problem, not specific to Ubuntu or Linux. The kernel patch Canonical ships applies the available software mitigation. The packages updated in USN-8245-1 are the linux-azure and linux-oem-6.17 variants (kernel 6.17), for Ubuntu 25.10 and Ubuntu 24.04 LTS:
linux-azureandlinux-azure-6.17: 6.17.0-1013.13linux-oem-6.17: 6.17.0-1020.20
Alongside EntrySign, the same notice bundles more than 130 CVEs across various kernel subsystems accumulated this cycle, so the update matters even if your hardware isn’t AMD.
Mitigation and patch
Update the kernel as soon as you can:
sudo apt update && sudo apt full-upgrade
sudo rebootThe reboot isn’t optional. The new kernel doesn’t take effect until you restart, and this notice carries ABI changes, which forces a rebuild of third-party kernel modules (proprietary drivers, DKMS) after updating.
One point worth stating plainly: the operating-system patch applies the mitigation that software can deliver, but fully fixing EntrySign requires a BIOS/firmware update from your board or server vendor. If you manage AMD machines, check your vendor’s microcode and BIOS updates as well.
If you work with Ubuntu kernels, it’s worth reviewing other recent AMD notices such as USN-8028-1, which covered AMD SEV-SNP flaws. And to shrink reboot windows across large fleets, take a look at Livepatch support on Arm64, which applies critical kernel patches without rebooting. The full Ubuntu page lists the supported releases.
Source
- Ubuntu Security Notice USN-8245-1: https://ubuntu.com/security/notices/USN-8245-1
- CVE-2024-36347 detail on NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36347