Platform
linux
Component
ubuntu-desktop-provision
Fixed in
25.10.1
CVE-2025-15480 describes an Information Disclosure vulnerability found in Ubuntu Desktop Provision, specifically impacting version 0.0.0–25.10. During installation failures, the system could inadvertently include sensitive user credentials, specifically password hashes, within bug reports submitted to Launchpad. This poses a risk of unauthorized access to user accounts if these reports are compromised.
The primary impact of CVE-2025-15480 is the potential exposure of user password hashes. If a bug report containing these hashes is accessed by an attacker, they could potentially use them to crack user passwords and gain unauthorized access to user accounts on the affected Ubuntu system. The blast radius is limited to users who experience installation failures and submit bug reports. While password hashing algorithms are designed to be resistant to brute-force attacks, a leaked hash significantly reduces the effort required for an attacker to compromise an account. This vulnerability highlights the importance of secure crash reporting mechanisms and careful handling of sensitive data.
CVE-2025-15480 was published on 2026-04-09. The vulnerability's severity is pending evaluation. There are currently no publicly known proof-of-concept exploits. It is not listed on KEV or EPSS, suggesting a low probability of immediate exploitation. Monitor Ubuntu security advisories for updates and mitigation guidance.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2025-15480 is to upgrade to a patched version of Ubuntu Desktop Provision. Since a fixed version is not yet available, a workaround involves disabling automatic bug report submission during installation failures. This can be achieved by manually inspecting the system and avoiding the automated reporting process. Carefully review the Ubuntu security advisories for updates. After applying any updates or workarounds, verify the system's configuration to ensure that crash reporting is disabled or properly secured.
Actualice el paquete ubuntu-desktop-provision a una versión corregida. Canonical ha publicado correcciones en versiones posteriores a las afectadas. Consulte las notas de la versión de Ubuntu para obtener más detalles sobre las actualizaciones disponibles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15480 is a vulnerability in Ubuntu Desktop Provision 0.0.0–25.10 where password hashes can be leaked in bug reports during installation failures, potentially exposing user credentials.
You are potentially affected if you are using Ubuntu Desktop Provision version 0.0.0–25.10 and have experienced installation failures requiring you to submit a bug report to Launchpad.
The recommended fix is to upgrade to a patched version of Ubuntu Desktop Provision. Until a patch is available, disable automatic bug report submission during installation failures.
Currently, there are no publicly known active exploitation campaigns targeting CVE-2025-15480, but continuous monitoring is advised.
Refer to the official Ubuntu security advisories at https://ubuntu.com/security for updates and guidance related to CVE-2025-15480.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.