CVE-2026-11386 (GCVE-0-2026-11386)
Vulnerability from cvelistv5 – Published: 2026-07-16 12:16 – Updated: 2026-07-16 13:31
VLAI
EPSS
VEX
Title
ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution
Summary
An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://ubuntu.com/security/CVE-2026-11386 | vdb-entry |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Canonical | ubuntu-pro-client (ubuntu-advantage-tools) |
Affected:
0 , < 37.3
(python)
|
|
| Canonical | Ubuntu 26.04 LTS |
Unaffected:
37.2ubuntu0.1
(dpkg)
|
|
| Canonical | Ubuntu 24.04 LTS |
Unaffected:
37.2ubuntu~24.04.1
(dpkg)
|
|
| Canonical | Ubuntu 22.04 LTS |
Unaffected:
37.2ubuntu~22.04.1
(dpkg)
|
|
| Canonical | Ubuntu 20.04 LTS |
Unaffected:
37.1ubuntu0~20.04.1
(dpkg)
|
|
| Canonical | Ubuntu 18.04 LTS |
Unaffected:
37.1ubuntu0~18.04.1
(dpkg)
|
|
| Canonical | Ubuntu 16.04 LTS |
Unaffected:
37.1ubuntu0~16.04.1
(dpkg)
|
|
| Canonical | Ubuntu 14.04 LTS |
Unaffected:
19.7ubuntu0.1
(dpkg)
|
Date Public
2026-07-16 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:30:45.443694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T13:31:16.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical/",
"defaultStatus": "unaffected",
"packageName": "ubuntu-pro-client",
"platforms": [
"Linux"
],
"product": "ubuntu-pro-client (ubuntu-advantage-tools)",
"repo": "https://github.com/canonical/ubuntu-pro-client",
"vendor": "Canonical",
"versions": [
{
"lessThan": "37.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/resolute",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 26.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu0.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/noble",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 24.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~24.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/jammy",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 22.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.2ubuntu~22.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/focal",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 20.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~20.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/bionic",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 18.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~18.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/xenial",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 16.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "37.1ubuntu0~16.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/trusty",
"defaultStatus": "affected",
"packageName": "ubuntu-advantage-tools",
"platforms": [
"Linux"
],
"product": "Ubuntu 14.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
"vendor": "Canonical",
"versions": [
{
"status": "unaffected",
"version": "19.7ubuntu0.1",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Frederick Jerusha"
}
],
"datePublic": "2026-07-16T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An input validation and injection vulnerability exists in Canonical\u003cbr\u003eubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs\u003cbr\u003eAPT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their\u003cbr\u003eDEB822 equivalents) using data received directly from the contract server\u003cbr\u003eresponse via the directives.suites[] and directives.aptURL fields. Because\u003cbr\u003ethe client utilizes Python\u0027s str.format() to write these files without\u003cbr\u003eperforming escaping, validation, or newline character filtering, a malicious\u003cbr\u003eor tampered contract response containing embedded newline (\\n) characters can\u003cbr\u003esuccessfully inject arbitrary, attacker-controlled deb configuration lines into\u003cbr\u003eroot-owned APT sources.\u003cbr\u003eWhen combined with the unvalidated additionalPackages[] field\u2014which is passed\u003cbr\u003epositionally into a root-executed apt-get install command\u2014an attacker capable of\u003cbr\u003espoofing or manipulating the contract response (e.g., via a compromised internal\u003cbr\u003einfrastructure, an intercepted connection utilizing a trusted CA, or local logical\u003cbr\u003ebugs) can force the client to fetch and install malicious packages. This ultimately\u003cbr\u003eleads to arbitrary code execution with root privileges on the affected system. This\u003cbr\u003ecomponent is preinstalled on supported Ubuntu Server releases and auto-attaches by\u003cbr\u003edefault on cloud provider Ubuntu Pro images."
}
],
"value": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python\u0027s str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field\u2014which is passed positionally into a root-executed apt-get install command\u2014an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:16:02.508Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://ubuntu.com/security/CVE-2026-11386"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-11386",
"datePublished": "2026-07-16T12:16:02.508Z",
"dateReserved": "2026-06-05T15:11:57.169Z",
"dateUpdated": "2026-07-16T13:31:16.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-11386\",\"sourceIdentifier\":\"security@ubuntu.com\",\"published\":\"2026-07-16T13:16:24.770\",\"lastModified\":\"2026-07-16T14:16:48.040\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python\u0027s str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field\u2014which is passed positionally into a root-executed apt-get install command\u2014an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.\"}],\"affected\":[{\"source\":\"security@ubuntu.com\",\"affectedData\":[{\"vendor\":\"Canonical\",\"product\":\"ubuntu-pro-client (ubuntu-advantage-tools)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/canonical/\",\"packageName\":\"ubuntu-pro-client\",\"platforms\":[\"Linux\"],\"repo\":\"https://github.com/canonical/ubuntu-pro-client\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"37.3\",\"versionType\":\"python\",\"status\":\"affected\"}]},{\"vendor\":\"Canonical\",\"product\":\"Ubuntu 26.04 LTS\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://launchpad.net/ubuntu/resolute\",\"packageName\":\"ubuntu-advantage-tools\",\"platforms\":[\"Linux\"],\"repo\":\"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\",\"versions\":[{\"version\":\"37.2ubuntu0.1\",\"versionType\":\"dpkg\",\"status\":\"unaffected\"}]},{\"vendor\":\"Canonical\",\"product\":\"Ubuntu 24.04 LTS\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://launchpad.net/ubuntu/noble\",\"packageName\":\"ubuntu-advantage-tools\",\"platforms\":[\"Linux\"],\"repo\":\"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\",\"versions\":[{\"version\":\"37.2ubuntu~24.04.1\",\"versionType\":\"dpkg\",\"status\":\"unaffected\"}]},{\"vendor\":\"Canonical\",\"product\":\"Ubuntu 22.04 LTS\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://launchpad.net/ubuntu/jammy\",\"packageName\":\"ubuntu-advantage-tools\",\"platforms\":[\"Linux\"],\"repo\":\"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\",\"versions\":[{\"version\":\"37.2ubuntu~22.04.1\",\"versionType\":\"dpkg\",\"status\":\"unaffected\"}]},{\"vendor\":\"Canonical\",\"product\":\"Ubuntu 20.04 LTS\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://launchpad.net/ubuntu/focal\",\"packageName\":\"ubuntu-advantage-tools\",\"platforms\":[\"Linux\"],\"repo\":\"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\",\"versions\":[{\"version\":\"37.1ubuntu0~20.04.1\",\"versionType\":\"dpkg\",\"status\":\"unaffected\"}]},{\"vendor\":\"Canonical\",\"product\":\"Ubuntu 18.04 LTS\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://launchpad.net/ubuntu/bionic\",\"packageName\":\"ubuntu-advantage-tools\",\"platforms\":[\"Linux\"],\"repo\":\"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\",\"versions\":[{\"version\":\"37.1ubuntu0~18.04.1\",\"versionType\":\"dpkg\",\"status\":\"unaffected\"}]},{\"vendor\":\"Canonical\",\"product\":\"Ubuntu 16.04 LTS\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://launchpad.net/ubuntu/xenial\",\"packageName\":\"ubuntu-advantage-tools\",\"platforms\":[\"Linux\"],\"repo\":\"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\",\"versions\":[{\"version\":\"37.1ubuntu0~16.04.1\",\"versionType\":\"dpkg\",\"status\":\"unaffected\"}]},{\"vendor\":\"Canonical\",\"product\":\"Ubuntu 14.04 LTS\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://launchpad.net/ubuntu/trusty\",\"packageName\":\"ubuntu-advantage-tools\",\"platforms\":[\"Linux\"],\"repo\":\"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\",\"versions\":[{\"version\":\"19.7ubuntu0.1\",\"versionType\":\"dpkg\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@ubuntu.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-16T13:30:45.443694Z\",\"id\":\"CVE-2026-11386\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@ubuntu.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://ubuntu.com/security/CVE-2026-11386\",\"source\":\"security@ubuntu.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-11386\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-16T13:30:45.443694Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-16T13:31:03.562Z\"}}], \"cna\": {\"title\": \"ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Frederick Jerusha\"}], \"impacts\": [{\"capecId\": \"CAPEC-242\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-242 Code Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/canonical/ubuntu-pro-client\", \"vendor\": \"Canonical\", \"product\": \"ubuntu-pro-client (ubuntu-advantage-tools)\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"37.3\", \"versionType\": \"python\"}], \"platforms\": [\"Linux\"], \"packageName\": \"ubuntu-pro-client\", \"collectionURL\": \"https://github.com/canonical/\", \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\", \"vendor\": \"Canonical\", \"product\": \"Ubuntu 26.04 LTS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"37.2ubuntu0.1\", \"versionType\": \"dpkg\"}], \"platforms\": [\"Linux\"], \"packageName\": \"ubuntu-advantage-tools\", \"collectionURL\": \"https://launchpad.net/ubuntu/resolute\", \"defaultStatus\": \"affected\"}, {\"repo\": \"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\", \"vendor\": \"Canonical\", \"product\": \"Ubuntu 24.04 LTS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"37.2ubuntu~24.04.1\", \"versionType\": \"dpkg\"}], \"platforms\": [\"Linux\"], \"packageName\": \"ubuntu-advantage-tools\", \"collectionURL\": \"https://launchpad.net/ubuntu/noble\", \"defaultStatus\": \"affected\"}, {\"repo\": \"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\", \"vendor\": \"Canonical\", \"product\": \"Ubuntu 22.04 LTS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"37.2ubuntu~22.04.1\", \"versionType\": \"dpkg\"}], \"platforms\": [\"Linux\"], \"packageName\": \"ubuntu-advantage-tools\", \"collectionURL\": \"https://launchpad.net/ubuntu/jammy\", \"defaultStatus\": \"affected\"}, {\"repo\": \"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\", \"vendor\": \"Canonical\", \"product\": \"Ubuntu 20.04 LTS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"37.1ubuntu0~20.04.1\", \"versionType\": \"dpkg\"}], \"platforms\": [\"Linux\"], \"packageName\": \"ubuntu-advantage-tools\", \"collectionURL\": \"https://launchpad.net/ubuntu/focal\", \"defaultStatus\": \"affected\"}, {\"repo\": \"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\", \"vendor\": \"Canonical\", \"product\": \"Ubuntu 18.04 LTS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"37.1ubuntu0~18.04.1\", \"versionType\": \"dpkg\"}], \"platforms\": [\"Linux\"], \"packageName\": \"ubuntu-advantage-tools\", \"collectionURL\": \"https://launchpad.net/ubuntu/bionic\", \"defaultStatus\": \"affected\"}, {\"repo\": \"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\", \"vendor\": \"Canonical\", \"product\": \"Ubuntu 16.04 LTS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"37.1ubuntu0~16.04.1\", \"versionType\": \"dpkg\"}], \"platforms\": [\"Linux\"], \"packageName\": \"ubuntu-advantage-tools\", \"collectionURL\": \"https://launchpad.net/ubuntu/xenial\", \"defaultStatus\": \"affected\"}, {\"repo\": \"https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools\", \"vendor\": \"Canonical\", \"product\": \"Ubuntu 14.04 LTS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"19.7ubuntu0.1\", \"versionType\": \"dpkg\"}], \"platforms\": [\"Linux\"], \"packageName\": \"ubuntu-advantage-tools\", \"collectionURL\": \"https://launchpad.net/ubuntu/trusty\", \"defaultStatus\": \"affected\"}], \"datePublic\": \"2026-07-16T12:00:00.000Z\", \"references\": [{\"url\": \"https://ubuntu.com/security/CVE-2026-11386\", \"tags\": [\"vdb-entry\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python\u0027s str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field\\u2014which is passed positionally into a root-executed apt-get install command\\u2014an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An input validation and injection vulnerability exists in Canonical\u003cbr\u003eubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs\u003cbr\u003eAPT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their\u003cbr\u003eDEB822 equivalents) using data received directly from the contract server\u003cbr\u003eresponse via the directives.suites[] and directives.aptURL fields. Because\u003cbr\u003ethe client utilizes Python\u0027s str.format() to write these files without\u003cbr\u003eperforming escaping, validation, or newline character filtering, a malicious\u003cbr\u003eor tampered contract response containing embedded newline (\\\\n) characters can\u003cbr\u003esuccessfully inject arbitrary, attacker-controlled deb configuration lines into\u003cbr\u003eroot-owned APT sources.\u003cbr\u003eWhen combined with the unvalidated additionalPackages[] field\\u2014which is passed\u003cbr\u003epositionally into a root-executed apt-get install command\\u2014an attacker capable of\u003cbr\u003espoofing or manipulating the contract response (e.g., via a compromised internal\u003cbr\u003einfrastructure, an intercepted connection utilizing a trusted CA, or local logical\u003cbr\u003ebugs) can force the client to fetch and install malicious packages. This ultimately\u003cbr\u003eleads to arbitrary code execution with root privileges on the affected system. This\u003cbr\u003ecomponent is preinstalled on supported Ubuntu Server releases and auto-attaches by\u003cbr\u003edefault on cloud provider Ubuntu Pro images.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper input validation\"}]}], \"providerMetadata\": {\"orgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"shortName\": \"canonical\", \"dateUpdated\": \"2026-07-16T12:16:02.508Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-11386\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-16T13:31:16.910Z\", \"dateReserved\": \"2026-06-05T15:11:57.169Z\", \"assignerOrgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"datePublished\": \"2026-07-16T12:16:02.508Z\", \"assignerShortName\": \"canonical\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…