On 4 March 2026 Canonical’s security team published a batch of Linux kernel updates covering almost the entire supported Ubuntu lineup. That means the interim 25.10 release plus the four LTS branches still under support: 24.04, 22.04, 20.04 and 18.04 (the last one through Expanded Security Maintenance). This isn’t a single-hole fix but a bundle that closes several flaws spread across different kernel subsystems.
What gets fixed
The headline CVE is CVE-2025-40214, a flaw in the Unix domain socket subsystem (af_unix). The AF_UNIX garbage collector could free the receive queue of a socket that was still alive and in flight. The mainline fix (af_unix: Initialise scc_index in unix_add_edge()) properly initialises scc_index when adding edges to the graph the collector walks, so it stops treating an in-use object as collectible.
Alongside that flaw, the same USN groups other kernel patches, including CVE-2025-22036 and CVE-2025-21726, which touch other subsystems. This is the usual shape of an Ubuntu kernel advisory: Canonical rolls up the fixes already landed upstream into one release per branch, so you update once and pick up the whole set.
Who is affected
Any Ubuntu install running a kernel older than these versions. Kernel flaws are rarely exploited remotely on their own; the typical path is a local user already on the box using them to crash it or, in the worst case, escalate privileges. Multi-user servers, containers and shared machines carry more exposure, because that’s where you actually find local actors who could reach the affected code paths.
Severity
Canonical rates the update as high priority. CVE-2025-40214 is a use-after-free in a sensitive part of the kernel, and that class of bug can turn into memory corruption. There’s no evidence of active exploitation at the time of the advisory, but it shouldn’t be left to sit.
How to patch
Update through the normal channels:
sudo apt update && sudo apt upgrade
sudo rebootThe reboot is needed to boot into the new kernel, unless you use Livepatch. Canonical included livepatch support for several of the affected LTS branches, so on those releases you can apply the mitigation without an immediate reboot; even so, schedule a reboot to land permanently on the patched kernel. Check which kernel you run with uname -r before and after.
If you manage a fleet, also make sure you don’t have pinned kernel versions (apt-mark hold) blocking the update.
For more on the LTS releases and their support windows, see the Ubuntu page.
Source
- Ubuntu Security Notices: https://ubuntu.com/security/notices?order=newest&release=focal&details=kernel
- CVE-2025-40214: https://nvd.nist.gov/vuln/detail/CVE-2025-40214