ubuntu-cve-2026-11386
Vulnerability from osv_ubuntu
Published
2026-07-17 14:00
Modified
2026-07-17 14:00
Summary
Details

An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.

Severity

{
  "affected": [
    {
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "ubuntu-advantage-pro",
            "binary_version": "37.2ubuntu~22.04.1"
          },
          {
            "binary_name": "ubuntu-advantage-tools",
            "binary_version": "37.2ubuntu~22.04.1"
          },
          {
            "binary_name": "ubuntu-pro-auto-attach",
            "binary_version": "37.2ubuntu~22.04.1"
          },
          {
            "binary_name": "ubuntu-pro-client",
            "binary_version": "37.2ubuntu~22.04.1"
          },
          {
            "binary_name": "ubuntu-pro-client-l10n",
            "binary_version": "37.2ubuntu~22.04.1"
          }
        ],
        "priority_reason": "CVSS critical"
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "ubuntu-advantage-tools",
        "purl": "pkg:deb/ubuntu/ubuntu-advantage-tools@37.2ubuntu~22.04.1?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "37.2ubuntu~22.04.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "27.2.2~21.10.1",
        "27.3~21.10.1",
        "27.4~22.04.1",
        "27.4.1~22.04.1",
        "27.4.2~22.04.1",
        "27.5~22.04.1",
        "27.6~22.04.1",
        "27.7~22.04.1",
        "27.8~22.04.1",
        "27.9~22.04.1",
        "27.10.1~22.04.1",
        "27.11.2~22.04.1",
        "27.11.3~22.04.1",
        "27.12~22.04.1",
        "27.13.1~22.04.1",
        "27.13.2~22.04.1",
        "27.13.3~22.04.1",
        "27.13.5~22.04.1",
        "27.13.6~22.04.1",
        "27.14.4~22.04",
        "28.1~22.04",
        "29.4~22.04",
        "30~22.04",
        "31.2~22.04",
        "31.2.2~22.04",
        "31.2.3~22.04",
        "32.3~22.04",
        "32.3.1~22.04",
        "33.2~22.04",
        "34~22.04",
        "35.1ubuntu0~22.04",
        "36ubuntu0~22.04",
        "37.1ubuntu0~22.04",
        "37.2ubuntu~22.04"
      ]
    },
    {
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "ubuntu-advantage-pro",
            "binary_version": "37.2ubuntu~24.04.1"
          },
          {
            "binary_name": "ubuntu-advantage-tools",
            "binary_version": "37.2ubuntu~24.04.1"
          },
          {
            "binary_name": "ubuntu-pro-auto-attach",
            "binary_version": "37.2ubuntu~24.04.1"
          },
          {
            "binary_name": "ubuntu-pro-client",
            "binary_version": "37.2ubuntu~24.04.1"
          },
          {
            "binary_name": "ubuntu-pro-client-l10n",
            "binary_version": "37.2ubuntu~24.04.1"
          }
        ],
        "priority_reason": "CVSS critical"
      },
      "package": {
        "ecosystem": "Ubuntu:24.04:LTS",
        "name": "ubuntu-advantage-tools",
        "purl": "pkg:deb/ubuntu/ubuntu-advantage-tools@37.2ubuntu~24.04.1?arch=source\u0026distro=noble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "37.2ubuntu~24.04.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "29.4",
        "30",
        "30.1",
        "31.1",
        "31.2.2",
        "31.2.2build1",
        "31.2.3",
        "32.3~24.04",
        "32.3.1~24.04",
        "33.2~24.04.1",
        "34~24.04",
        "35.1ubuntu0~24.04",
        "36ubuntu0~24.04",
        "37.1ubuntu0~24.04",
        "37.2ubuntu~24.04"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ubuntu-advantage-pro",
            "binary_version": "37.2ubuntu~25.10"
          },
          {
            "binary_name": "ubuntu-advantage-tools",
            "binary_version": "37.2ubuntu~25.10"
          },
          {
            "binary_name": "ubuntu-pro-auto-attach",
            "binary_version": "37.2ubuntu~25.10"
          },
          {
            "binary_name": "ubuntu-pro-client",
            "binary_version": "37.2ubuntu~25.10"
          },
          {
            "binary_name": "ubuntu-pro-client-l10n",
            "binary_version": "37.2ubuntu~25.10"
          }
        ],
        "priority_reason": "CVSS critical"
      },
      "package": {
        "ecosystem": "Ubuntu:25.10",
        "name": "ubuntu-advantage-tools",
        "purl": "pkg:deb/ubuntu/ubuntu-advantage-tools@37.2ubuntu~25.10?arch=source\u0026distro=questing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "35",
        "35.1ubuntu0",
        "36ubuntu0",
        "37ubuntu0",
        "37.1ubuntu0~25.10",
        "37.2ubuntu~25.10"
      ]
    },
    {
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "ubuntu-advantage-pro",
            "binary_version": "37.2ubuntu0.1"
          },
          {
            "binary_name": "ubuntu-advantage-tools",
            "binary_version": "37.2ubuntu0.1"
          },
          {
            "binary_name": "ubuntu-pro-auto-attach",
            "binary_version": "37.2ubuntu0.1"
          },
          {
            "binary_name": "ubuntu-pro-client",
            "binary_version": "37.2ubuntu0.1"
          },
          {
            "binary_name": "ubuntu-pro-client-l10n",
            "binary_version": "37.2ubuntu0.1"
          }
        ],
        "priority_reason": "CVSS critical"
      },
      "package": {
        "ecosystem": "Ubuntu:26.04:LTS",
        "name": "ubuntu-advantage-tools",
        "purl": "pkg:deb/ubuntu/ubuntu-advantage-tools@37.2ubuntu0.1?arch=source\u0026distro=resolute"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "37.2ubuntu0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "37ubuntu0",
        "37.1ubuntu0",
        "37.2ubuntu"
      ]
    }
  ],
  "aliases": [],
  "details": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-\u003cname\u003e.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python\u0027s str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field\u2014which is passed positionally into a root-executed apt-get install command\u2014an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
  "id": "UBUNTU-CVE-2026-11386",
  "modified": "2026-07-17T14:00:00Z",
  "published": "2026-07-17T14:00:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-11386"
    },
    {
      "type": "REPORT",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-11386"
    },
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8555-1"
    }
  ],
  "related": [
    "USN-8555-1"
  ],
  "schema_version": "1.7.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "high",
      "type": "Ubuntu"
    }
  ],
  "upstream": [
    "CVE-2026-11386"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…