Home

Description

In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.

PUBLISHED Reserved 2025-12-11 | Published 2026-04-09 | Updated 2026-04-10 | Assigner canonical




LOW: 2.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U

Problem types

CWE-1258 Exposure of sensitive system information due to uncleared debug information

Product status

Default status
unaffected

Any version
affected

Any version
affected

Any version
affected

References

github.com/canonical/subiquity/pull/2358 (noble backport - stop logging network config and identity data) patch issue-tracking

github.com/canonical/subiquity/pull/2357 (Stop logging identity data and network secrets) patch issue-tracking

cve.org (CVE-2025-14551)

nvd.nist.gov (CVE-2025-14551)

Download JSON