🟡 Medium   ⏱ 10–30 min  Last verified: 25 May 2026
Affected versions: Ubuntu 18.04 (bionic)

📖 ~4 min read  •  Source: Ubuntu Security Notice USN-5019-1

Related CVEs: CVE-2021-1093 CVE-2021-1094 CVE-2021-1095 CVE-2021-1076 CVE-2021-1077 CVE-2021-1052 CVE-2021-1053

Upstream summary: It was discovered that an assert() could be triggered in the NVIDIA
graphics drivers. A local attacker could use this to cause a denial
of service. (CVE-2021-1093)

It was discovered that the NVIDIA graphics drivers permitted an
out-of-bounds array access. A local attacker could use this
to cause a denial of service or possibly expose sensitive
information. (CVE-2021-1094)

It was discovered that the NVIDIA graphics drivers contained a
vulnerability in the kernel mode layer w

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On Ubuntu 18.04 (bionic) hosts that have nvidia-graphics-drivers-418-server installed, administrators report behaviour consistent with Ubuntu Security Notice USN-5019-1: apt reports pending security updates, services backed by nvidia-graphics-drivers-418-server fail or restart unexpectedly, AppArmor denials appear in the kernel log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever nvidia-graphics-drivers-418-server sits on the serving path.

Environment & Reproduction

Reproduction targets Ubuntu 18.04 (bionic). Confirm release and installed package:

lsb_release -a
cat /etc/os-release
dpkg -l nvidia-graphics-drivers-418-server | tail -2
apt-cache policy nvidia-graphics-drivers-418-server
uname -r

Trigger the workflow that exposes nvidia-graphics-drivers-418-server — multiple vulnerabilities (7 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u nvidia-graphics-drivers-418-server -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/apt/history.log
sudo tail -200 /var/log/kern.log | grep -i apparmor

Root Cause Analysis

Root cause is documented in Ubuntu Security Notice USN-5019-1. Canonical security maintainers shipped fixes in the corresponding nvidia-graphics-drivers-418-server update for Ubuntu 18.04; running an outdated build leaves the host exposed to the failure modes described in the advisory. On this release the fix typically arrives via the Ubuntu Pro ESM (esm-infra / esm-apps) channels rather than the standard archive. Correlate apt history with the journal:

grep -A2 -B2 nvidia-graphics-drivers-418-server /var/log/apt/history.log
zgrep -A2 -B2 nvidia-graphics-drivers-418-server /var/log/apt/history.log.*.gz 2>/dev/null
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on Ubuntu 18.04 to capture the current state of nvidia-graphics-drivers-418-server:

dpkg -l nvidia-graphics-drivers-418-server | tail -1                  # installed version
dpkg -V nvidia-graphics-drivers-418-server                             # verify shipped files
sudo apt update && apt list --upgradable 2>/dev/null | grep -i security
systemctl is-active nvidia-graphics-drivers-418-server
sudo ufw status verbose 2>/dev/null | head -20
sudo aa-status 2>/dev/null | head -20
# If nvidia-graphics-drivers-418-server ships a service unit (unit/job name often differs from pkg name, e.g.
# bind9→named, apache2→apache2, postgresql-NN→postgresql@NN-main):
systemctl list-unit-files | grep -i nvidia | head

On bionic the standard archive no longer ships security fixes. Verify Ubuntu Pro ESM coverage:

# Ubuntu Pro CLI is the standard tool:
sudo pro status --format=json 2>/dev/null | head
apt-cache policy | grep -i esm

Step-by-Step Diagnosis

  1. List failing services.

    systemctl --failed --no-pager

  2. Tail the journal / syslog for nvidia-graphics-drivers-418-server.

    sudo journalctl -u nvidia-graphics-drivers-418-server -f --no-pager
sudo journalctl -xe -f --no-pager

  3. Inspect UFW (Uncomplicated Firewall) state.

    sudo ufw status numbered
sudo ufw show added
sudo iptables -L -n -v | head -30

  4. Surface AppArmor denials and switch the profile to complain mode if needed.

    sudo journalctl -k 2>/dev/null | grep -i 'apparmor="DENIED"' | tail -30
sudo aa-status
# /etc/apparmor.d/usr.bin.nvidia-graphics-drivers-418-server or usr.sbin.nvidia-graphics-drivers-418-server — inspect first
sudo aa-complain /etc/apparmor.d/usr.bin.nvidia-graphics-drivers-418-server 2>/dev/null || true

  5. Verify nvidia-graphics-drivers-418-server integrity and reinstall if anything is altered.

    sudo dpkg -V nvidia-graphics-drivers-418-server
sudo debsums -c nvidia-graphics-drivers-418-server 2>/dev/null
sudo apt install --reinstall -y nvidia-graphics-drivers-418-server

  6. Correlate findings with /var/log/apt/history.log, /var/log/dpkg.log, and Ubuntu Security Notice USN-5019-1 to pin the change that introduced nvidia-graphics-drivers-418-server — multiple vulnerabilities (7 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective apt transaction referenced by Ubuntu Security Notice USN-5019-1, then reload the affected service:

sudo apt update
sudo apt -y install --only-upgrade nvidia-graphics-drivers-418-server
sudo systemctl daemon-reload
# Service name may differ from pkg name; check first:
systemctl list-unit-files | grep -i nvidia | head
sudo systemctl restart nvidia-graphics-drivers-418-server
dpkg -l nvidia-graphics-drivers-418-server | tail -1            # confirm new version
systemctl is-active nvidia-graphics-drivers-418-server

On bionic the standard archive is past EoL for security; enable Ubuntu Pro ESM to receive the fix:

# Standard pro CLI:
sudo pro attach <token>
sudo pro enable esm-infra
sudo pro enable esm-apps
sudo apt update
sudo apt -y install --only-upgrade nvidia-graphics-drivers-418-server

For kernel / glibc / systemd / openssl advisories a reboot (or Livepatch) is required:

sudo apt install -y needrestart
sudo needrestart -r l       # list units that need restart
sudo systemctl reboot       # or: sudo shutdown -r now
# Livepatch (Ubuntu Pro) avoids reboot for many kernel CVEs:
sudo canonical-livepatch status
sudo canonical-livepatch refresh

Need help rolling this patch across an Ubuntu fleet? Our IT Solutions & Services team manages Ubuntu patch windows with Landscape and Ubuntu Pro integration. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary upgrade is not viable, pick from these:

  • Hold the package so apt cannot upgrade it:

    sudo apt-mark hold nvidia-graphics-drivers-418-server
apt-mark showhold | grep nvidia-graphics-drivers-418-server
# Release the hold later with:
sudo apt-mark unhold nvidia-graphics-drivers-418-server

  • Pin a known-good version via apt preferences:

    # /etc/apt/preferences.d/nvidia-graphics-drivers-418-server.pref
Package: nvidia-graphics-drivers-418-server
Pin: version <good-version>
Pin-Priority: 1001

  • Downgrade to an older version if a regression is suspected:

    apt-cache madison nvidia-graphics-drivers-418-server
sudo apt install --allow-downgrades -y nvidia-graphics-drivers-418-server=<older-version>

  • Investigate AppArmor blocking the new binary; switch to complain briefly, capture denials, then re-enforce:

    sudo aa-complain /etc/apparmor.d/usr.bin.nvidia-graphics-drivers-418-server 2>/dev/null
# reproduce the failure
sudo journalctl -k | grep apparmor | tail
sudo aa-enforce /etc/apparmor.d/usr.bin.nvidia-graphics-drivers-418-server 2>/dev/null

  • Apply Canonical Livepatch (Ubuntu Pro) to land kernel fixes without reboot:

    sudo canonical-livepatch status
sudo canonical-livepatch refresh

  • Take only the security pocket update and defer the full point-release upgrade:

    sudo apt -y install --only-upgrade -t bionic-security nvidia-graphics-drivers-418-server

Verification & Acceptance Criteria

All of these should pass after the fix is applied:

dpkg -l nvidia-graphics-drivers-418-server | tail -1                                  # expected fixed version
apt list --upgradable 2>/dev/null | grep -i security || echo OK
systemctl is-active nvidia-graphics-drivers-418-server
sudo journalctl -u nvidia-graphics-drivers-418-server --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo ufw status numbered | head
sudo aa-status 2>/dev/null | head -5

The original reproduction for nvidia-graphics-drivers-418-server — multiple vulnerabilities (7 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

apt list --installed 2>/dev/null > /root/apt-pre.txt
dpkg --get-selections > /root/dpkg-pre.txt
# ZFS-on-root (Ubuntu 20.04+ default installer option):
sudo zfs snapshot rpool/ROOT/ubuntu@pre-nvidia-graphics-drivers-418-server
# LVM-on-root:
sudo lvcreate -L 4G -s -n root_pre_patch /dev/<vg>/<root-lv>

To revert:

sudo apt install --allow-downgrades -y nvidia-graphics-drivers-418-server=<old-version>
sudo systemctl daemon-reload
sudo systemctl restart nvidia-graphics-drivers-418-server
# Kernel rollback: pick the prior kernel from the GRUB menu, then:
sudo systemctl reboot
# ZFS rollback (rolls the whole root dataset):
sudo zfs rollback -r rpool/ROOT/ubuntu@pre-nvidia-graphics-drivers-418-server

Prevention & Hardening

Reduce the chance of this recurring on Ubuntu 18.04 (bionic):

  • Enable scheduled security updates via unattended-upgrades:

    sudo apt install -y unattended-upgrades update-notifier-common
sudo dpkg-reconfigure -plow unattended-upgrades
# /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; };

  • Install needrestart so services restart automatically after library upgrades:

    sudo apt install -y needrestart
# /etc/needrestart/needrestart.conf -> $nrconf{restart} = 'a';

  • Attach Ubuntu Pro for ESM (mandatory on this past-EoL release) and Livepatch where supported:

    sudo pro attach <token>
sudo pro enable esm-infra
sudo pro enable esm-apps
sudo pro enable livepatch

  • Subscribe to ubuntu-security-announce and watch ubuntu.com/security/cves.

  • Monitor file integrity with debsums and AIDE:

    sudo apt install -y debsums aide
sudo debsums -ca
sudo aideinit && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check

  • For estate-wide patching, manage with Canonical Landscape:

    sudo apt install -y landscape-client
sudo landscape-config

  • Keep AppArmor profiles in enforce mode and apply CIS Ubuntu Linux Benchmark hardening.

Issues that commonly surface alongside nvidia-graphics-drivers-418-server — multiple vulnerabilities (7 CVEs) — patch and remediation guide: apt lock contention, broken dpkg state, systemd ordering cycles, AppArmor denials, and UFW rule drift. Useful triage:

sudo dpkg --configure -a
sudo apt --fix-broken install
systemd-analyze critical-chain
sudo journalctl -k 2>/dev/null | grep -i apparmor | tail
cat /proc/sys/kernel/tainted

View all ubuntu-18-04 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: Ubuntu Security Notice USN-5019-1. Manual pages useful on Ubuntu 18.04:

man apt
man apt-get
man apt-mark
man dpkg
man systemctl
man journalctl
man ufw
man apparmor
man aa-status
man unattended-upgrades
man canonical-livepatch
man pro

Other resources: Ubuntu Security Notices, Ubuntu CVE Tracker, Ubuntu upgrade notes, and per-package notes in /usr/share/doc/nvidia-graphics-drivers-418-server/ for components implicated in nvidia-graphics-drivers-418-server — multiple vulnerabilities (7 CVEs) — patch and remediation guide.