PT-2026-60459 · Canonical · Ubuntu-Pro-Client

·

CVE-2026-11386

·

Published

2026-07-16

·

Updated

2026-07-17

CVSS v3.1

9.0

Critical

VectorAV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions ubuntu-pro-client (affected versions not specified)
Description An input validation and injection issue exists where the client constructs APT source files using data from the contract server response via the directives.suites[] and directives.aptURL fields. The use of Python's str.format() to write these files without escaping, validation, or newline character filtering allows a tampered response containing newline characters to inject arbitrary configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field, which is passed into a root-executed apt-get install command, an attacker who can manipulate the contract response can force the installation of malicious packages, leading to arbitrary code execution with root privileges. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-11386
USN-8555-1

Affected Products

Ubuntu-Pro-Client