Multiple vulnerabilities have been identified in Emacs. Specifically, unsafe Lisp macro expansion can be triggered via `elisp-completion-at-point` on untrusted Emacs Lisp source code (CVE-2024-53920), and improper sanitization of certain URI schemes can lead to arbitrary shell command execution via crafted URLs (CVE-2025-1244). To remediate these issues, users should update to the following package versions: 1:29.3+1-1ubuntu2+esm3 for Ubuntu 24.04 LTS, 1:27.1+1-3ubuntu5.2+esm1 for Ubuntu 22.04 LTS, and 1:26.3+1-1ubuntu2+esm2 for Ubuntu 20.04 LTS. A standard system update will apply the necessary changes.
Ubuntu Security Notices USN-8011-1 USN-8011-1: Emacs vulnerabilities Publication date 4 February 2026 Overview Several security issues were fixed in Emacs. Releases 24.04 LTS 22.04 LTS 20.04 LTS Packages emacs - An extensible, customizable, free/libre text editor — and more. Details It was discovered that Emacs could trigger unsafe Lisp macro expansion, when a user invoked elisp-completion-at-point on untrusted Emacs Lisp source code. An attacker could possibly use this issue to execute arbitrary code. ( CVE-2024-53920 ) It was discovered that Emacs did not properly sanitize input when handling certain URI schemes. An attacker could possibly use this issue to execute arbitrary shell commands by tricking a user into opening a specially crafted URL. ( CVE-2025-1244 ) It was discovered that Emacs could trigger unsafe Lisp macro expansion, when a user invoked elisp-completion-at-point on untrusted Emacs Lisp source code. An attacker could possibly use this issue to execute arbitrary code. ( CVE-2024-53920 ) It was discovered that Emacs did not properly sanitize input when handling certain URI schemes. An attacker could possibly use this issue to execute arbitrary shell commands by tricking a user into opening a specially crafted URL. ( CVE-2025-1244 ) Update instructions In general, a standard system update will make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 24.04 LTS noble emacs – 1:29.3+1-1ubuntu2+esm3 emacs-bin-common – 1:29.3+1-1ubuntu2+esm3 emacs-common – 1:29.3+1-1ubuntu2+esm3 emacs-el – 1:29.3+1-1ubuntu2+esm3 emacs-gtk – 1:29.3+1-1ubuntu2+esm3 emacs-lucid – 1:29.3+1-1ubuntu2+esm3 emacs-nox – 1:29.3+1-1ubuntu2+esm3 emacs-pgtk – 1:29.3+1-1ubuntu2+esm3 22.04 LTS jammy emacs – 1:27.1+1-3ubuntu5.2+esm1 emacs-bin-common – 1:27.1+1-3ubuntu5.2+esm1 emacs-common – 1:27.1+1-3ubuntu5.2+esm1 emacs-el – 1:27.1+1-3ubuntu5.2+esm1 emacs-gtk – 1:27.1+1-3ubuntu5.2+esm1 emacs-lucid – 1:27.1+1-3ubuntu5.2+esm1 emacs-nox – 1:27.1+1-3ubuntu5.2+esm1 20.04 LTS focal emacs – 1:26.3+1-1ubuntu2+esm2 emacs-bin-common – 1:26.3+1-1ubuntu2+esm2 emacs-common – 1:26.3+1-1ubuntu2+esm2 emacs-el – 1:26.3+1-1ubuntu2+esm2 emacs-gtk – 1:26.3+1-1ubuntu2+esm2 emacs-lucid – 1:26.3+1-1ubuntu2+esm2 emacs-nox – 1:26.3+1-1ubuntu2+esm2 Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2025-1244 CVE-2024-53920 CVE-2025-1244 CVE-2024-53920