CVE-2025-15480
Received Received - Intake
Credential Exposure in ubuntu-desktop-provision via Crash Report Logs

Publication date: 2026-04-09

Last updated on: 2026-04-17

Assigner: Canonical Ltd.

Description
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15480
EUVD
EUVD-2025-209377
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
canonical ubuntu_desktop_provision 24.04.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1258 The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in ubuntu-desktop-provision version 24.04.4 could lead to leakage of sensitive user credentials, specifically password hashes, during crash reporting. This exposure of sensitive identity data in logs could negatively impact compliance with privacy and data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information.

The fix implemented prevents logging of identity data, thereby mitigating the risk of sensitive data exposure and improving compliance with these standards by enhancing user privacy and security.

Executive Summary

In Ubuntu, the ubuntu-desktop-provision version 24.04.4 has a vulnerability where sensitive user credentials can be leaked during crash reporting.

Specifically, if the installation fails and a user submits a bug report to Launchpad, the software could include the user's password hash in the attached logs, exposing sensitive identity information.

Impact Analysis

This vulnerability can lead to the exposure of sensitive user credentials, such as password hashes, if a crash report is submitted after an installation failure.

An attacker or unauthorized party who gains access to these logs could potentially use the leaked password hashes to compromise user accounts or escalate privileges.

This exposure undermines user privacy and security by revealing identity-related data that should remain confidential.

Mitigation Strategies

To mitigate the CVE-2025-15480 vulnerability, you should update the ubuntu-desktop-provision package to the fixed version that prevents logging of sensitive identity data.

This fix has been implemented and merged in the canonical/ubuntu-desktop-provision project as pull requests #1399 and #1400 on April 9, 2026.

Ensure that your system is running the patched version of the ubuntu-desktop-provision and ubuntu-desktop-bootstrap snap packages to avoid leaking user password hashes in crash report logs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15480. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart