Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Ubuntu 14.04 LTS by Canonical

    CVE-2026-9494 (GCVE-0-2026-9494)

    Vulnerability from nvd – Published: 2026-07-16 12:12 – Updated: 2026-07-16 15:11
    VLAI
    Title
    ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line
    Summary
    An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-214 - Invocation of process using visible sensitive information
    Assigner
    References
    Date Public
    2026-07-16 12:00
    Credits
    Bilal Teke
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9494",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T13:36:06.361605Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T15:11:07.229Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical/",
              "defaultStatus": "unaffected",
              "packageName": "ubuntu-pro-client",
              "platforms": [
                "Linux"
              ],
              "product": "ubuntu-pro-client (ubuntu-advantage-tools)",
              "repo": "https://github.com/canonical/ubuntu-pro-client",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "37.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/resolute",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 26.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu0.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/noble",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 24.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu~24.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/jammy",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 22.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu~22.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/focal",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 20.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~20.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/bionic",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 18.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~18.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/xenial",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 16.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~16.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/trusty",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 14.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "19.7ubuntu0.1",
                  "versionType": "dpkg"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bilal Teke"
            }
          ],
          "datePublic": "2026-07-16T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client\u003cbr\u003e(formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT\u003cbr\u003ecredentials by executing /usr/lib/apt/apt-helper using the download-file\u003cbr\u003ecommand. During this process, the secret bearer token is embedded directly in\u003cbr\u003ethe cleartext URL component passed via the command-line arguments (argv),\u003cbr\u003eresulting in a URL format such as https://bearer:\u003ctoken\u003e@esm.ubuntu.com/.../.\u003cbr\u003eOn systems utilizing a default-mounted /proc file system where process-hiding\u003cbr\u003emitigations (such as hidepid) are disabled, an unprivileged local attacker can\u003cbr\u003emonitor system processes and read the sensitive bearer token directly from\u003cbr\u003e/proc/cmdline while the helper process is actively running. This leaked\u003cbr\u003etoken can subsequently be used to gain unauthorized access to the victim\u0027s\u003cbr\u003eUbuntu Pro or Expanded Security Maintenance (ESM) repositories.\u003cbr\u003e"
                }
              ],
              "value": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in\nthe cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:\u003ctoken\u003e@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can\nmonitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim\u0027s Ubuntu Pro or Expanded Security Maintenance (ESM) repositories."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-13",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-13 Subverting Environment Variable Values"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-214",
                  "description": "CWE-214 Invocation of process using visible sensitive information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T12:12:27.447Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://ubuntu.com/security/CVE-2026-9494"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-9494",
        "datePublished": "2026-07-16T12:12:27.447Z",
        "dateReserved": "2026-05-25T08:23:24.573Z",
        "dateUpdated": "2026-07-16T15:11:07.229Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11386 (GCVE-0-2026-11386)

    Vulnerability from nvd – Published: 2026-07-16 12:16 – Updated: 2026-07-16 13:31
    VLAI
    Title
    ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution
    Summary
    An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    References
    Date Public
    2026-07-16 12:00
    Credits
    Frederick Jerusha
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11386",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T13:30:45.443694Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T13:31:16.910Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical/",
              "defaultStatus": "unaffected",
              "packageName": "ubuntu-pro-client",
              "platforms": [
                "Linux"
              ],
              "product": "ubuntu-pro-client (ubuntu-advantage-tools)",
              "repo": "https://github.com/canonical/ubuntu-pro-client",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "37.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/resolute",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 26.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu0.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/noble",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 24.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu~24.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/jammy",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 22.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu~22.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/focal",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 20.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~20.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/bionic",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 18.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~18.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/xenial",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 16.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~16.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/trusty",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 14.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "19.7ubuntu0.1",
                  "versionType": "dpkg"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Frederick Jerusha"
            }
          ],
          "datePublic": "2026-07-16T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An input validation and injection vulnerability exists in Canonical\u003cbr\u003eubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs\u003cbr\u003eAPT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their\u003cbr\u003eDEB822 equivalents) using data received directly from the contract server\u003cbr\u003eresponse via the directives.suites[] and directives.aptURL fields. Because\u003cbr\u003ethe client utilizes Python\u0027s str.format() to write these files without\u003cbr\u003eperforming escaping, validation, or newline character filtering, a malicious\u003cbr\u003eor tampered contract response containing embedded newline (\\n) characters can\u003cbr\u003esuccessfully inject arbitrary, attacker-controlled deb configuration lines into\u003cbr\u003eroot-owned APT sources.\u003cbr\u003eWhen combined with the unvalidated additionalPackages[] field\u2014which is passed\u003cbr\u003epositionally into a root-executed apt-get install command\u2014an attacker capable of\u003cbr\u003espoofing or manipulating the contract response (e.g., via a compromised internal\u003cbr\u003einfrastructure, an intercepted connection utilizing a trusted CA, or local logical\u003cbr\u003ebugs) can force the client to fetch and install malicious packages. This ultimately\u003cbr\u003eleads to arbitrary code execution with root privileges on the affected system. This\u003cbr\u003ecomponent is preinstalled on supported Ubuntu Server releases and auto-attaches by\u003cbr\u003edefault on cloud provider Ubuntu Pro images."
                }
              ],
              "value": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python\u0027s str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field\u2014which is passed positionally into a root-executed apt-get install command\u2014an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T12:16:02.508Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://ubuntu.com/security/CVE-2026-11386"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-11386",
        "datePublished": "2026-07-16T12:16:02.508Z",
        "dateReserved": "2026-06-05T15:11:57.169Z",
        "dateUpdated": "2026-07-16T13:31:16.910Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11386 (GCVE-0-2026-11386)

    Vulnerability from cvelistv5 – Published: 2026-07-16 12:16 – Updated: 2026-07-16 13:31
    VLAI
    Title
    ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution
    Summary
    An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    References
    Date Public
    2026-07-16 12:00
    Credits
    Frederick Jerusha
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11386",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T13:30:45.443694Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T13:31:16.910Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical/",
              "defaultStatus": "unaffected",
              "packageName": "ubuntu-pro-client",
              "platforms": [
                "Linux"
              ],
              "product": "ubuntu-pro-client (ubuntu-advantage-tools)",
              "repo": "https://github.com/canonical/ubuntu-pro-client",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "37.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/resolute",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 26.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu0.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/noble",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 24.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu~24.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/jammy",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 22.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu~22.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/focal",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 20.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~20.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/bionic",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 18.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~18.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/xenial",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 16.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~16.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/trusty",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 14.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "19.7ubuntu0.1",
                  "versionType": "dpkg"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Frederick Jerusha"
            }
          ],
          "datePublic": "2026-07-16T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An input validation and injection vulnerability exists in Canonical\u003cbr\u003eubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs\u003cbr\u003eAPT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their\u003cbr\u003eDEB822 equivalents) using data received directly from the contract server\u003cbr\u003eresponse via the directives.suites[] and directives.aptURL fields. Because\u003cbr\u003ethe client utilizes Python\u0027s str.format() to write these files without\u003cbr\u003eperforming escaping, validation, or newline character filtering, a malicious\u003cbr\u003eor tampered contract response containing embedded newline (\\n) characters can\u003cbr\u003esuccessfully inject arbitrary, attacker-controlled deb configuration lines into\u003cbr\u003eroot-owned APT sources.\u003cbr\u003eWhen combined with the unvalidated additionalPackages[] field\u2014which is passed\u003cbr\u003epositionally into a root-executed apt-get install command\u2014an attacker capable of\u003cbr\u003espoofing or manipulating the contract response (e.g., via a compromised internal\u003cbr\u003einfrastructure, an intercepted connection utilizing a trusted CA, or local logical\u003cbr\u003ebugs) can force the client to fetch and install malicious packages. This ultimately\u003cbr\u003eleads to arbitrary code execution with root privileges on the affected system. This\u003cbr\u003ecomponent is preinstalled on supported Ubuntu Server releases and auto-attaches by\u003cbr\u003edefault on cloud provider Ubuntu Pro images."
                }
              ],
              "value": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python\u0027s str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field\u2014which is passed positionally into a root-executed apt-get install command\u2014an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T12:16:02.508Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://ubuntu.com/security/CVE-2026-11386"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-11386",
        "datePublished": "2026-07-16T12:16:02.508Z",
        "dateReserved": "2026-06-05T15:11:57.169Z",
        "dateUpdated": "2026-07-16T13:31:16.910Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9494 (GCVE-0-2026-9494)

    Vulnerability from cvelistv5 – Published: 2026-07-16 12:12 – Updated: 2026-07-16 15:11
    VLAI
    Title
    ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line
    Summary
    An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-214 - Invocation of process using visible sensitive information
    Assigner
    References
    Date Public
    2026-07-16 12:00
    Credits
    Bilal Teke
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9494",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T13:36:06.361605Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T15:11:07.229Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical/",
              "defaultStatus": "unaffected",
              "packageName": "ubuntu-pro-client",
              "platforms": [
                "Linux"
              ],
              "product": "ubuntu-pro-client (ubuntu-advantage-tools)",
              "repo": "https://github.com/canonical/ubuntu-pro-client",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "37.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/resolute",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 26.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu0.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/noble",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 24.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu~24.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/jammy",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 22.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.2ubuntu~22.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/focal",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 20.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~20.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/bionic",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 18.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~18.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/xenial",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 16.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "37.1ubuntu0~16.04.1",
                  "versionType": "dpkg"
                }
              ]
            },
            {
              "collectionURL": "https://launchpad.net/ubuntu/trusty",
              "defaultStatus": "affected",
              "packageName": "ubuntu-advantage-tools",
              "platforms": [
                "Linux"
              ],
              "product": "Ubuntu 14.04 LTS",
              "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "19.7ubuntu0.1",
                  "versionType": "dpkg"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bilal Teke"
            }
          ],
          "datePublic": "2026-07-16T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client\u003cbr\u003e(formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT\u003cbr\u003ecredentials by executing /usr/lib/apt/apt-helper using the download-file\u003cbr\u003ecommand. During this process, the secret bearer token is embedded directly in\u003cbr\u003ethe cleartext URL component passed via the command-line arguments (argv),\u003cbr\u003eresulting in a URL format such as https://bearer:\u003ctoken\u003e@esm.ubuntu.com/.../.\u003cbr\u003eOn systems utilizing a default-mounted /proc file system where process-hiding\u003cbr\u003emitigations (such as hidepid) are disabled, an unprivileged local attacker can\u003cbr\u003emonitor system processes and read the sensitive bearer token directly from\u003cbr\u003e/proc/cmdline while the helper process is actively running. This leaked\u003cbr\u003etoken can subsequently be used to gain unauthorized access to the victim\u0027s\u003cbr\u003eUbuntu Pro or Expanded Security Maintenance (ESM) repositories.\u003cbr\u003e"
                }
              ],
              "value": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in\nthe cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:\u003ctoken\u003e@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can\nmonitor system processes and read the sensitive bearer token directly from /proc/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim\u0027s Ubuntu Pro or Expanded Security Maintenance (ESM) repositories."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-13",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-13 Subverting Environment Variable Values"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-214",
                  "description": "CWE-214 Invocation of process using visible sensitive information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T12:12:27.447Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://ubuntu.com/security/CVE-2026-9494"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-9494",
        "datePublished": "2026-07-16T12:12:27.447Z",
        "dateReserved": "2026-05-25T08:23:24.573Z",
        "dateUpdated": "2026-07-16T15:11:07.229Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }