CVE-2025-15480
Credential Exposure in ubuntu-desktop-provision via Crash Report Logs
Publication date: 2026-04-09
Last updated on: 2026-04-17
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | ubuntu_desktop_provision | 24.04.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1258 | The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ubuntu-desktop-provision version 24.04.4 could lead to leakage of sensitive user credentials, specifically password hashes, during crash reporting. This exposure of sensitive identity data in logs could negatively impact compliance with privacy and data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information.
The fix implemented prevents logging of identity data, thereby mitigating the risk of sensitive data exposure and improving compliance with these standards by enhancing user privacy and security.
Can you explain this vulnerability to me?
In Ubuntu, the ubuntu-desktop-provision version 24.04.4 has a vulnerability where sensitive user credentials can be leaked during crash reporting.
Specifically, if the installation fails and a user submits a bug report to Launchpad, the software could include the user's password hash in the attached logs, exposing sensitive identity information.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive user credentials, such as password hashes, if a crash report is submitted after an installation failure.
An attacker or unauthorized party who gains access to these logs could potentially use the leaked password hashes to compromise user accounts or escalate privileges.
This exposure undermines user privacy and security by revealing identity-related data that should remain confidential.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2025-15480 vulnerability, you should update the ubuntu-desktop-provision package to the fixed version that prevents logging of sensitive identity data.
This fix has been implemented and merged in the canonical/ubuntu-desktop-provision project as pull requests #1399 and #1400 on April 9, 2026.
Ensure that your system is running the patched version of the ubuntu-desktop-provision and ubuntu-desktop-bootstrap snap packages to avoid leaking user password hashes in crash report logs.