Details
It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)
It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)
It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could use this issue to obtain
sensitive credentials. (CVE-2026-42498)
It was discovered that Tomcat incorrectly handled digest
authentication. A remote attacker could possibly use this issue to
bypass authentication restrictions....
It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)
It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)
It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could use this issue to obtain
sensitive credentials. (CVE-2026-42498)
It was discovered that Tomcat incorrectly handled digest
authentication. A remote attacker could possibly use this issue to
bypass authentication restrictions. (CVE-2026-43512)
It was discovered that Tomcat incorrectly handled case sensitivity
in LockOutRealm. A remote attacker could possibly use this issue to
bypass account lockout protections and obtain sensitive information.
(CVE-2026-43513)
It was discovered that Tomcat incorrectly handled authorization
when multiple method constraints defined the same HTTP method. A
remote attacker could possibly use this issue to bypass
authorization restrictions. (CVE-2026-43515)
Update instructions
After a standard system update you need to restart Tomcat to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 26.04 LTS resolute | libtomcat10-embed-java – 10.1.40-1ubuntu1.26.04.1 | ||
| libtomcat10-java – 10.1.40-1ubuntu1.26.04.1 | |||
| libtomcat9-java – 9.0.115-1ubuntu0.1 | |||
| tomcat10 – 10.1.40-1ubuntu1.26.04.1 | |||
| 25.10 questing | libtomcat10-embed-java – 10.1.40-1ubuntu1.25.10.1 | ||
| libtomcat10-java – 10.1.40-1ubuntu1.25.10.1 | |||
| libtomcat9-java – 9.0.95-1ubuntu1.1 | |||
| tomcat10 – 10.1.40-1ubuntu1.25.10.1 | |||
| 24.04 LTS noble | libtomcat10-embed-java – 10.1.16-1ubuntu0.1~esm4 | ||
| libtomcat10-java – 10.1.16-1ubuntu0.1~esm4 | |||
| libtomcat9-java – 9.0.70-2ubuntu0.1+esm3 | |||
| tomcat10 – 10.1.16-1ubuntu0.1~esm4 | |||
| 22.04 LTS jammy | libtomcat9-embed-java – 9.0.58-1ubuntu0.2+esm4 | ||
| libtomcat9-java – 9.0.58-1ubuntu0.2+esm4 | |||
| tomcat9 – 9.0.58-1ubuntu0.2+esm4 | |||
| 20.04 LTS focal | libtomcat9-embed-java – 9.0.31-1ubuntu0.9+esm3 | ||
| libtomcat9-java – 9.0.31-1ubuntu0.9+esm3 | |||
| tomcat9 – 9.0.31-1ubuntu0.9+esm3 | |||
| 18.04 LTS bionic | libtomcat9-embed-java – 9.0.16-3ubuntu0.18.04.2+esm8 | ||
| libtomcat9-java – 9.0.16-3ubuntu0.18.04.2+esm8 | |||
| tomcat9 – 9.0.16-3ubuntu0.18.04.2+esm8 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.