Phoronix's Michael Larabel reports: A 21 year old bug report requesting support of the XDG Base Directory specification is finally being addressed by Firefox. The Firefox 147 release should respect this XDG specification around where files should be positioned within Linux users' home directory.

The XDG Base Directory specification lays out where application data files, configuration files, cached assets, and other files and file formats should be positioned within a user's home directory and the XDG environment variables for accessing those locations. To date Firefox has just positioned all files under ~/.mozilla rather than the likes of ~/.config and ~/.local/share.

Researchers at the University of Vienna extracted phone numbers for 3.5 billion WhatsApp users by systematically checking every possible number through the messaging service's contact discovery feature. The technique yielded profile photos for 57% of those accounts and profile text for 29 percent. The researchers checked roughly 100 million numbers per hour using WhatsApp's browser-based app.

The team warned Meta in April and deleted their data. The company implemented stricter rate-limiting by October to prevent such mass enumeration. Meta called the exposed information "basic publicly available information" and said it found no evidence of malicious exploitation. The vulnerability had been identified before. In 2017, Dutch researcher Loran Kloeze published a blog post detailing the same enumeration technique. Meta responded then that WhatsApp's privacy settings were functioning as designed and denied him a bug bounty reward. The researchers collected 137 million U.S. phone numbers. In India, they found nearly 750 million numbers. They also discovered 2.3 million Chinese numbers and 1.6 million Myanmar numbers, despite WhatsApp being banned in both countries. The researchers analyzed the cryptographic keys and found some accounts used duplicate keys. They speculate this resulted from unauthorized WhatsApp clients rather than a platform flaw.

An outage at Cloudflare that began moments ago has knocked many popular websites, including ChatGPT and X, according to user reports. Cloudflare says on its website: "Cloudflare is aware of, and investigating an issue which potentially impacts multiple customers. Further detail will be provided as more information becomes available."

Update: In a statement after the outage was resolved, Cloudflare CTO said: Earlier today we failed our customers and the broader Internet when a problem in Cloudflare network impacted large amounts of traffic that rely on us. The sites, businesses, and organizations that rely on Cloudflare depend on us being available and I apologize for the impact that we caused.

Transparency about what happened matters, and we plan to share a breakdown with more details in a few hours. In short, a latent bug in a service underpinning our bot mitigation capability started to crash after a routine configuration change we made. That cascaded into a broad degradation to our network and other services. This was not an attack.

That issue, impact it caused, and time to resolution is unacceptable. Work is already underway to make sure it does not happen again, but I know it caused real pain today. The trust our customers place in us is what we value the most and we are going to do what it takes to earn that back.

An anonymous reader quotes a report from the New York Times: For the first time, scientists are tracking the migration of monarch butterflies across much of North America, actively monitoring individual insects on journeys from as far away as Ontario all the way to their overwintering colonies in central Mexico. This long-sought achievement could provide crucial insights into the poorly understood life cycles of hundreds of species of butterflies, bees and other flying insects at a time when many are in steep decline.

The breakthrough is the result of a tiny solar-powered radio tag that weighs just 60 milligrams and sells for $200. Researchers have tagged more than 400 monarchs this year and are now following their journeys on a cellphone app created by the New Jersey-based company that makes the tags, Cellular Tracking Technologies. Most monarchs weigh 500 to 600 milligrams, so each tag-bearing migrator making the transcontinental journey is, by weight, equivalent to a half-raisin carrying three uncooked grains of rice.

Researchers are tracking more than 400 tagged monarch butterflies as they fly toward winter colonies in central Mexico. The maps [in the article] follow six butterflies. [...] Tracking the world's most famous insect migration may also have a big social impact, with monarch lovers able to follow the progress of individual butterflies on the free app, called Project Monarch Science. Many of the butterflies are flying over cities and suburbs where pollinator gardens are increasingly popular. Some tracks could even lead to the discovery of new winter hideaways. "There's nothing that's not amazing about this," said Cheryl Schultz, a butterfly scientist at Washington State University and the senior author of a recent study documenting a 22 percent drop in butterfly abundance in North America over a recent 20-year period. "Now we will have answers that could help us turn the tide for these bugs."

FFmpeg, the open source multimedia framework that powers video processing in Google Chrome, Firefox, YouTube and other major platforms, has called on Google to either fund the project or stop burdening its volunteer maintainers with security vulnerabilities found by the company's AI tools. The maintainers patched a bug that Google's AI agent discovered in code for decoding a 1995 video game but described the finding as "CVE slop."

The confrontation centered on a Google Project Zero policy announced in July that publicly discloses reported vulnerabilities within a week and starts a ninety-day countdown to full disclosure regardless of patch availability. FFmpeg, written primarily in assembly language, handles format conversion and streaming for VLC, Kodi and Plex but operates without adequate funding from the corporations that depend on it. Nick Wellnhofer resigned as maintainer of libxml2, a library used in all major web browsers, because of the unsustainable workload of addressing security reports without compensation and said he would stop maintaining the project in December.

An anonymous reader shares a report: Microsoft officially ended mainstream support for Windows 10 last month, nudging users to upgrade to Windows 11. While that led to almost an overnight technological revolution in Japan, elsewhere, it has caused a lot of confusion. Certain versions of Windows 10, like Enterprise LTSC -- and those enrolled in the ESU program -- are still scheduled to receive security updates through at least 2027, but they're starting to see out-of-support messages in Settings.

Various users over the past few days reported that they're being subjected to end-of-life warnings in Windows, despite already qualifying for extended security updates through the ESU program. Windows 10 Enterprise LTSC 2021 and âIoT Enterprise are business-oriented editions of the OS, so they're already supported up to 2032, but even they saw these incorrect messages. This widespread bug started to occur after the KB5066791 updates were pushed on October 14, 2025.

Microsoft has already acknowledged this mishap and said, "The message, 'Your version of Windows has reached the end of support, might incorrectly display in the Windows Update Settings page," confirming it as a mistake. The company has already released a cloud config fix that should remove the message, but you need to be connected to the internet for that, and a restart is also required.

An anonymous reader quotes a report from Tom's Hardware: After a turbulent weekend of updates and clarifications, AMD has published an entire web page to assuage user backlash and reaffirm its commitment to continued support for its RDNA 1 and RDNA 2-based drives, following a spate of confusion surrounding its recent decision to put Radeon RX 5000 and 6000 series cards in "maintenance mode." This comes after AMD had to deny that the RX 7900 cards were losing USB-C power supply moving forward, even though the drive changelog said something quite different.

Just last week, AMD released a new driver update for its graphics cards, and it went anything but smoothly. First, the wrong drivers were uploaded, and even after that was corrected, several glaring errors in the release notes required clarification. AMD was forced to correct claims about its RX 7900 cards, but at the time clarified that, indeed, RX 5000 and 6000 graphics cards were entering "Maintenance Mode," despite some RX 6000 cards being only around four years old. Now, though, AMD has either rolled back that decision or someone higher up the food chain has made a new call, as game optimizations are back on the menu for RDNA 1 and RDNA 2 GPUs. "We've heard your feedback and want to clear up the confusion around the AMD Software: Adrenalin Edition 25.10.2 driver release," AMD said in a statement. "Your Radeon RX 5000 and RX 6000 series GPUs will continue to receive: Game support for new releases, Stability and game optimizations, and Security and bug fixes," AMD said.

Coca-Cola has doubled down on AI-generated holiday ads despite widespread criticism of last year's uncanny results. This year the beverage company is replacing human actors with oddly animated animals in a visually inconsistent campaign. The Verge reports: There's no consistent style, switching between attempted realism and a bug-eyed toony look, and the polar bears, panda, and sloth move unnaturally, like flat images that have been sloppily animated rather than rigged 3D models in CG. Compared to the convincing deepfake videos being generated by tools like OpenAI's Sora 2 or Google's Veo 3, the videos produced for this Coke ad feel extremely dated.

The only notable improvement to my eyes is that the wheels on the iconic Coke trucks are actually consistently turning this year, rather than gliding statically over snow-covered roads. The Wall Street Journal reports that Coca-Cola teamed up with Silverside and Secret Level on its latest holiday campaign, two of the AI studios that previously worked on the 2024 Coke Christmas ads.

Coca-Cola declined to comment on the cost of the new holiday campaign, according to The Wall Street Journal, but said that around 100 people were involved in the project -- a figure comparable to the company's older AI-free productions. That includes five "AI specialists" from Silverside who contributed by prompting and refining more than 70,000 AI video clips.

Microsoft has released a patch that fixes a longstanding bug in Windows 11 and Windows 10 where selecting "Update and shut down" would restart the computer instead of powering it off. The issue affected users across both operating systems since Windows 10's initial release. The fix arrived in Windows 11 25H2 Build 26200.7019 and the October 2025 optional update KB5067036.

Microsoft confirmed the patch "addressed underlying issue which can cause 'Update and shutdown' to not actually shut down your PC after updating." The problem likely stemmed from the Windows Servicing Stack failing to carry the power-off command through the required reboot phase. During updates Windows must restart into an offline servicing mode to replace system files. The power-off instruction was either cleared or blocked during this transition.

"Ubuntu's decision to switch to Rust-based coreutils in 25.10 hasn't been the smoothest ride," writes the blog OMG Ubuntu, "as the latest — albeit now resolved — bug underscores." [Coreutils] are used by a number of processes, apps and scripts, including Ubuntu's own unattended-upgrades process, which automatically checks for new software updates. Alas, the Rust-based version of date had a bug which meant Ubuntu 25.10 desktops, servers, cloud and container images were not able to automatically check for updates when configured. Unattended-upgrades hooks into the date utility to check the timestamp of a reference file of when an update check was last run and, past a certain date, checks again. But date was incorrectly showing the current date, always.

A fix has been issued so only Ubuntu 25.10 installs withrust-coreutils 0.2.2-0ubuntu2 (or earlier) are affected.

"We've spent the last year rebuilding major components of our system," Cloudflare announced this week, "and we've just slashed the latency of traffic passing through our network for millions of our customers," (There's a 10ms cut in the median time to respond, plus a 25% performance boost as measured by CDN performance tests.) They replaced a 15-year-old system named FL (where they run security and performance features), and "At the same time, we've made our system more secure, and we've reduced the time it takes for us to build and release new products."

And yes, Rust was involved: We write a lot of Rust, and we've gotten pretty good at it... We built FL2 in Rust, on Oxy [Cloudflare's Rust-based next generation proxy framework], and built a strict module framework to structure all the logic in FL2... Built in Rust, [Oxy] eliminates entire classes of bugs that plagued our Nginx/LuaJIT-based FL1, like memory safety issues and data races, while delivering C-level performance. At Cloudflare's scale, those guarantees aren't nice-to-haves, they're essential. Every microsecond saved per request translates into tangible improvements in user experience, and every crash or edge case avoided keeps the Internet running smoothly. Rust's strict compile-time guarantees also pair perfectly with FL2's modular architecture, where we enforce clear contracts between product modules and their inputs and outputs...

It's a big enough distraction from shipping products to customers to rebuild product logic in Rust. Asking all our teams to maintain two versions of their product logic, and reimplement every change a second time until we finished our migration was too much. So, we implemented a layer in our old NGINX and OpenResty based FL which allowed the new modules to be run. Instead of maintaining a parallel implementation, teams could implement their logic in Rust, and replace their old Lua logic with that, without waiting for the full replacement of the old system.
Over 100 engineers worked on FL2 — and there was extensive testing, plus a fallback-to-FL1 procedure. But "We started running customer traffic through FL2 early in 2025, and have been progressively increasing the amount of traffic served throughout the year...." As we described at the start of this post, FL2 is substantially faster than FL1. The biggest reason for this is simply that FL2 performs less work [thanks to filters controlling whether modules need to run]... Another huge reason for better performance is that FL2 is a single codebase, implemented in a performance focussed language. In comparison, FL1 was based on NGINX (which is written in C), combined with LuaJIT (Lua, and C interface layers), and also contained plenty of Rust modules. In FL1, we spent a lot of time and memory converting data from the representation needed by one language, to the representation needed by another. As a result, our internal measures show that FL2 uses less than half the CPU of FL1, and much less than half the memory. That's a huge bonus — we can spend the CPU on delivering more and more features for our customers!

Using our own tools and independent benchmarks like CDNPerf, we measured the impact of FL2 as we rolled it out across the network. The results are clear: websites are responding 10 ms faster at the median, a 25% performance boost. FL2 is also more secure by design than FL1. No software system is perfect, but the Rust language brings us huge benefits over LuaJIT. Rust has strong compile-time memory checks and a type system that avoids large classes of errors. Combine that with our rigid module system, and we can make most changes with high confidence...

We have long followed a policy that any unexplained crash of our systems needs to be investigated as a high priority. We won't be relaxing that policy, though the main cause of novel crashes in FL2 so far has been due to hardware failure. The massively reduced rates of such crashes will give us time to do a good job of such investigations. We're spending the rest of 2025 completing the migration from FL1 to FL2, and will turn off FL1 in early 2026. We're already seeing the benefits in terms of customer performance and speed of development, and we're looking forward to giving these to all our customers.

After that, when everything is modular, in Rust and tested and scaled, we can really start to optimize...!
Thanks to long-time Slashdot reader Beeftopia for sharing the article.

OpenAI has introduced Aardvark, a GPT-5-powered autonomous agent that scans, reasons about, and patches code like a human security researcher. "By embedding itself directly into the development pipeline, Aardvark aims to turn security from a post-development concern into a continuous safeguard that evolves with the software itself," reports InfoWorld. From the report: What makes Aardvark unique, OpenAI noted, is its combination of reasoning, automation, and verification. Rather than simply highlighting potential vulnerabilities, the agent promises multi-stage analysis -- starting by mapping an entire repository and building a contextual threat model around it. From there, it continuously monitors new commits, checking whether each change introduces risk or violates existing security patterns.

Additionally, upon identifying a potential issue, Aardvark attempts to validate the exploitability of the finding in a sandboxed environment before flagging it. This validation step could prove transformative. Traditional static analysis tools often overwhelm developers with false alarms -- issues that may look risky but aren't truly exploitable. "The biggest advantage is that it will reduce false positives significantly," noted Jain. "It's helpful in open source codes and as part of the development pipeline."

Once a vulnerability is confirmed, Aardvark integrates with Codex to propose a patch, then re-analyzes the fix to ensure it doesn't introduce new problems. OpenAI claims that in benchmark tests, the system identified 92 percent of known and synthetically introduced vulnerabilities across test repositories, a promising indication that AI may soon shoulder part of the burden of modern code auditing.

A critical security flaw in Chromium's Blink rendering engine can crash billions of browsers within seconds. Security researcher Jose Pino discovered the vulnerability and created a proof-of-concept exploit called Brash to demonstrate the bug affecting Chrome, Edge, OpenAI's ChatGPT Atlas, Brave, Vivaldi, Arc, Dia, Opera and Perplexity Comet.

The flaw, reports The Register, exploits the absence of rate limiting on document.title API updates in Chromium versions 143.0.7483.0 and later. The attack injects millions of DOM mutations per second and saturates the main thread. When The Register tested the code on Edge, the browser crashed and the Windows machine locked up after about 30 seconds while consuming 18GB of RAM in one tab. Pino disclosed the bug to the Chromium security team on August 28 and followed up on August 30 but received no response. Google said it is looking into the issue.

darwinmac writes: Ubuntu Unity is staring at a possible shutdown. A community moderator has gone public pleading for help, admitting the project is "broken and needs to be fixed." Neowin reports the distro is suffering from critical bugs so severe that upgrades from 25.04 to 25.10 are failing and even fresh installs are hit. The moderator admits they lack the technical skill or time to perform a full rescue and is asking the broader community, including devs, testers, and UI designers, to step in so Ubuntu Unity can reach 26.04 LTS. If no one steps in soon, this community flavor might quietly fade away once more.

An anonymous reader quotes a report from Ars Technica: The outage that hit Amazon Web Services and took out vital services worldwide was the result of a single failure that cascaded from system to system within Amazon's sprawling network, according to a post-mortem from company engineers. [...] Amazon said the root cause of the outage was a software bug in software running the DynamoDB DNS management system. The system monitors the stability of load balancers by, among other things, periodically creating new DNS configurations for endpoints within the AWS network. A race condition is an error that makes a process dependent on the timing or sequence events that are variable and outside the developers' control. The result can be unexpected behavior and potentially harmful failures.

In this case, the race condition resided in the DNS Enactor, a DynamoDB component that constantly updates domain lookup tables in individual AWS endpoints to optimize load balancing as conditions change. As the enactor operated, it "experienced unusually high delays needing to retry its update on several of the DNS endpoints." While the enactor was playing catch-up, a second DynamoDB component, the DNS Planner, continued to generate new plans. Then, a separate DNS Enactor began to implement them. The timing of these two enactors triggered the race condition, which ended up taking out the entire DynamoDB. [...] The failure caused systems that relied on the DynamoDB in Amazon's US-East-1 regional endpoint to experience errors that prevented them from connecting. Both customer traffic and internal AWS services were affected.

The damage resulting from the DynamoDB failure then put a strain on Amazon's EC2 services located in the US-East-1 region. The strain persisted even after DynamoDB was restored, as EC2 in this region worked through a "significant backlog of network state propagations needed to be processed." The engineers went on to say: "While new EC2 instances could be launched successfully, they would not have the necessary network connectivity due to the delays in network state propagation." In turn, the delay in network state propagations spilled over to a network load balancer that AWS services rely on for stability. As a result, AWS customers experienced connection errors from the US-East-1 region. AWS network functions affected included the creating and modifying Redshift clusters, Lambda invocations, and Fargate task launches such as Managed Workflows for Apache Airflow, Outposts lifecycle operations, and the AWS Support Center. Amazon has temporarily disabled its DynamoDB DNS Planner and DNS Enactor automation globally while it fixes the race condition and add safeguards against incorrect DNS plans. Engineers are also updating EC2 and its network load balancer.

Further reading: Amazon's AWS Shows Signs of Weakness as Competitors Charge Ahead

Foreign hackers breached the National Nuclear Security Administration's Kansas City National Security Campus (KCNSC) by exploiting unpatched Microsoft SharePoint vulnerabilities. The intrusion happened in August and is possibly linked to either Chinese state actors or Russian cybercriminals. CSO Online notes that "roughly 80% of the non-nuclear parts in the nation's nuclear stockpile originate from KCNSC," making it "one of the most sensitive facilities in the federal weapons complex." From the report: The breach targeted a plant that produces the vast majority of critical non-nuclear components for US nuclear weapons under the NNSA, a semi-autonomous agency within the Department of Energy (DOE) that oversees the design, production, and maintenance of the nation's nuclear weapons. Honeywell Federal Manufacturing & Technologies (FM&T) manages the Kansas City campus under contract to the NNSA. [...] The attackers exploited two recently disclosed Microsoft SharePoint vulnerabilities -- CVE-2025-53770, a spoofing flaw, and CVE-2025-49704, a remote code execution (RCE) bug -- both affecting on-premises servers. Microsoft issued fixes for the vulnerabilities on July 19.

On July 22, the NNSA confirmed it was one of the organizations hit by attacks enabled by the SharePoint flaws. "On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy," a DOE spokesperson said. However, the DOE contended at the time, "The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored." By early August, federal responders, including personnel from the NSA, were on-site at the Kansas City facility, the source tells CSO.

"Windows Recovery Environment (RE), as the name suggests, is a built-in set of tools inside Windows that allow you to troubleshoot your computer, including booting into the BIOS, or starting the computer in safe mode," writes Tom's Hardware.

"It's a crucial piece of software that has now, unfortunately, been rendered useless (for many) as part of the latest Windows update." A new bug discovered in Windows 11's October build, KB5066835, makes it so that your USB keyboard and mouse stop working entirely, so you cannot interact with the recovery UI at all.

This problem has already been recognized and highlighted by Microsoft, who clarified that a fix is on its way to address this issue. Any plugged-in peripherals will continue to work just fine inside the actual operating system, but as soon as you go into Windows RE, your USB keyboard and mouse will become unresponsive. It's important to note that if your PC fails to start-up for any reason, it defaults to the recovery environment to, you know, recover and diagnose any issues that might've been preventing it from booting normally.

Note that those hanging onto old PS/2-connector equipped keyboards and mice seem to be unaffected by this latest Windows software gaffe.

An anonymous reader quotes a report from Ars Technica: If you've even idly checked in on the robust world of Doom fan development in recent years, you've probably encountered one of the hundreds of gameplay mods, WAD files, or entire commercial games based on GZDoom. The open source Doom port -- which can trace its lineage back to the original launch of ZDoom back in 1998 -- adds modern graphics rendering, quality-of-life additions, and incredibly deep modding features to the original Doom source code that John Carmack released in 1997. Now, though, the community behind GZDoom is publicly fracturing, with a large contingent of developers uniting behind a new fork called UZDoom. The move is in apparent protest of the leadership of GZDoom creator and maintainer Cristoph Oelckers (aka Graf Zahl), who recently admitted to inserting untested AI-generated code into the GZDoom codebase.

"Due to some disagreements -- some recent; some tolerated for close to 2 decades -- with how collaboration should work, we've decided that the best course of action was to fork the project," developer Nash Muhandes wrote on the DoomWorld forums Wednesday. "I don't want to see the GZDoom legacy die, as do most all of us, hence why I think the best thing to do is to continue development through a fork, while introducing a different development model that highly favors transparent collaboration between multiple people." [...] Zahl defended the use of AI-generated snippets for "boilerplate code" that isn't key to underlying game features. "I surely have my reservations about using AI for project specific code," he wrote, "but this here is just superficial checks of system configuration settings that can be found on various websites -- just with 10x the effort required."

But others in the community were adamant that there's no place for AI tools in the workflow of an open source project like this. "If using code slop generated from ChatGPT or any other GenAI/AI chatbots is the future of this project, I'm sorry to say but I'm out," GitHub user Cacodemon345 wrote, summarizing the feelings of many other developers. In a GitHub bug report posted Tuesday, user the-phinet laid out the disagreements over AI-generated code alongside other alleged issues with Zahl's top-down approach to pushing out GZDoom updates.

Engineer Denis Stetskov, writing in a blog: The Apple Calculator leaked 32GB of RAM. Not used. Not allocated. Leaked. A basic calculator app is hemorrhaging more memory than most computers had a decade ago. Twenty years ago, this would have triggered emergency patches and post-mortems. Today, it's just another bug report in the queue. We've normalized software catastrophes to the point where a Calculator leaking 32GB of RAM barely makes the news. This isn't about AI. The quality crisis started years before ChatGPT existed. AI just weaponized existing incompetence.

[...] Here's what engineering leaders don't want to acknowledge: software has physical constraints, and we're hitting all of them simultaneously. Modern software is built on towers of abstractions, each one making development "easier" while adding overhead: Today's real chain: React > Electron > Chromium > Docker > Kubernetes > VM > managed DB > API gateways. Each layer adds "only 20-30%." Compound a handful and you're at 2-6x overhead for the same behavior. That's how a Calculator ends up leaking 32GB. Not because someone wanted it to -- but because nobody noticed the cumulative cost until users started complaining.

[...] We're living through the greatest software quality crisis in computing history. A Calculator leaks 32GB of RAM. AI assistants delete production databases. Companies spend $364 billion to avoid fixing fundamental problems. This isn't sustainable. Physics doesn't negotiate. Energy is finite. Hardware has limits. The companies that survive won't be those who can outspend the crisis. There'll be those who remember how to engineer.

"It's not just you: Flatpak flat-out doesn't work in the new Ubuntu 25.10 release," writes the blog OMG Ubuntu: While Flatpak itself can be installed using apt, trying to install Flatpaks with Flatpak from the command-line throws a "could not unmount revokefs-fuse filesystem" error, followed by "Child process exited with code 1". For those who've installed the Ubuntu 'Questing Quokka' and wanted to kit it out with their favourite software from Flathub, it's a frustrating road bump.

AppArmor, the tool that enforces Ubuntu's security policies for apps, is causing the issue. According to the bug report on Launchpad, the AppArmor profile for fusermount3 lacks the privileges it needs to work properly in Ubuntu 25.10. Fusermount3 is a tool Flatpak relies on to mount and unmount filesystems... This is a bug and it is being worked on. Although there's no timeframe for a fix, it is marked as critical, so will be prioritised.
The bug was reported in early September, but not fixed in time for this week's Ubuntu 25.10 release, reports Phoronix: Only [Friday] an updated AppArmor was pushed to the "questing-proposed" archive for testing. Since then... a number of users have reported that the updated AppArmor from the proposed archive will fix the Flatpak issues being observed. From all the reports so far it looks like that proposed update is in good shape for restoring Flatpak support on Ubuntu 25.10. The Ubuntu team is considering pushing out this update sooner than the typical seven day testing period given the severity of the issue.
More details from WebProNews: Industry insiders point out that AppArmor, Ubuntu's mandatory access control system, was tightened in this release to enhance security... This isn't the first time AppArmor has caused friction; similar issues plagued Telegram Flatpak apps in Ubuntu 24.04 LTS earlier this year, as noted in coverage from OMG Ubuntu.