The Bundesamt für Sicherheit in der Informationstechnik reported multiple vulnerabilities in OpenSSL, including CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, and CVE-2026-31790, among others. These vulnerabilities involve incorrect negotiation of preferred key exchange groups in TLS 1.3 servers, improper memory handling in DANE clients and delta CRL processing, and crafted CMS EnvelopedData message processing errors. Some issues may lead to denial of service or remote code execution, while one vulnerability may allow sensitive information disclosure. Ubuntu has released security updates across multiple releases (14.04 LTS through 25.10) addressing these flaws. The fixes require standard system updates and rebooting to complete installation.

Remote attackers could exploit these vulnerabilities to cause OpenSSL to crash, resulting in denial of service, or potentially execute arbitrary code. One vulnerability could allow attackers to obtain sensitive information. The incorrect negotiation of key exchange groups in TLS 1.3 could lead to the use of less preferred cryptographic parameters, potentially weakening security. These impacts affect systems running vulnerable OpenSSL versions on various Linux distributions.

Official security updates have been released by Ubuntu for all affected versions, including 14.04 LTS through 25.10. Users should apply these updates promptly and reboot their systems to ensure all fixes are active. Ubuntu Pro provides extended security coverage and is recommended for long-term support. No additional vendor advisories indicate that no action is required; therefore, applying the official patches is the primary mitigation.