CVE remediation in Ubuntu Core

This page explains how Common Vulnerabilities and Exposures (CVEs) are handled in Ubuntu Core, what users can expect in terms of security updates, and how to assess whether a CVE affects a deployed system.

For more information about CVEs, and how Ubuntu handles CVE notifications, please visit our dedicated page.

Ubuntu Core security model

Ubuntu Core is a minimal, immutable operating system built from snaps. Its security model differs from traditional package-based systems in several important ways:

  • The base system is delivered as a base snap

  • Applications are delivered as application snaps

  • Updates are transactional

  • Each snap is self-contained, including most of its dependencies

Because of this model, CVE exposure and remediation depend on which snap contains the affected software, rather than on the system as a whole.

Where CVEs can apply

CVEs in Ubuntu Core may affect one of the following components:

  • Base snaps, snapd and certified kernel snaps

  • Application snaps

  • Gadget snaps and boot assets

Base snaps, snapd and certified kernel snaps

If a vulnerability affects software shipped in a base snap, snapd or certified kernel snap, it is fixed by rebuilding and releasing a new revision of that base snap by Canonical. Systems automatically receive the updated revision through snapd’s refresh mechanism.

Canonical keeps track of all CVEs affecting these and more Ubuntu packages. You can find additional guidance for high-profile vulnerabilities in the Ubuntu Vulnerability knowledge base.

Application snaps

Application snaps bundle their own dependencies. CVEs affecting those dependencies must be addressed by the snap publisher, who is responsible for rebuilding and releasing an updated snap.

System snaps are owned by Canonical and follow the same process described above.

Gadget snaps and boot assets

Gadget snaps define device-specific configuration, including boot assets such as bootloaders (for example, GRUB or U-Boot), partition layouts, and firmware-related artefacts. CVEs affecting software shipped in the gadget snap follow the same general principle as other snaps:

  • The party maintaining the gadget snap is responsible for assessing, fixing, and releasing updates.

For Canonical-maintained gadget snaps, Canonical tracks relevant CVEs and provides updated snap revisions when fixes are available. For example, on supported x86 platforms, Canonical currently maintains GRUB and delivers security fixes through updated gadget snap revisions.

For third-party or device-vendor–maintained gadget snaps, responsibility for bootloader maintenance (such as U-Boot) and associated CVE remediation lies with the gadget snap publisher. Updated gadget snap revisions must be released to address vulnerabilities, and devices will receive them through the normal snap refresh mechanism.

As with other snaps in Ubuntu Core, security fixes to gadget snaps are delivered via new revisions, and users should rely on snap revisions rather than version strings to assess update status.

CVE fixes and versioning

In Ubuntu Core, security fixes are delivered through new snap revisions, not necessarily through new snap versions.

Snaps are a collection of artefacts, not a release of a single piece of software.

When snaps are updated, a snap’s revision is automatically assigned by the Snap Store, giving each snap binary a unique identity within and across its channels. A revision is unique, changes on every rebuild, is incremental and comparable, and it is explicitly a distribution artefact identifier.

  • A new revision always represents a new build

  • A revision may include security fixes, dependency updates, or rebuilds

  • The version field is informational and may not change for rebuilds that include CVE fixes.

For this reason, users should rely on snap revisions to see software updates and the snap manifest.yaml, rather than the snap version string.

Assessing CVE impact

To determine whether a CVE affects an Ubuntu Core device, consider:

  1. Which component is affected (base snap, snapd, application snap or your own snaps)

  2. Whether that component is installed on the device

  3. Whether an updated revision is available and installed

For Ubuntu-maintained snaps, CVE status and fixes are tracked by the Ubuntu Security Team. For third-party snaps, publishers are responsible for CVE assessment and remediation.

Updates and lifecycle

Ubuntu Core systems automatically refresh snaps according to their configured refresh policy. This ensures that security fixes are applied promptly.

Updates can also be scheduled, either using refresh control or management services like Landscape.