🔐 CVE Alert

CVE-2026-11386

CRITICAL 9.0

ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution

CVSS Score
9.0
EPSS Score
0.0%
EPSS Percentile
0th

An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.

CWE CWE-20
Vendor canonical
Product ubuntu-pro-client (ubuntu-advantage-tools)
Ecosystems
Industries
Technology
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for canonical ubuntu-pro-client (ubuntu-advantage-tools)

Be the first to know when new critical vulnerabilities affecting canonical ubuntu-pro-client (ubuntu-advantage-tools) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Canonical / ubuntu-pro-client (ubuntu-advantage-tools)
0 < 37.3
Canonical / Ubuntu 26.04 LTS
All versions affected
Canonical / Ubuntu 24.04 LTS
All versions affected
Canonical / Ubuntu 22.04 LTS
All versions affected
Canonical / Ubuntu 20.04 LTS
All versions affected
Canonical / Ubuntu 18.04 LTS
All versions affected
Canonical / Ubuntu 16.04 LTS
All versions affected
Canonical / Ubuntu 14.04 LTS
All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗
ubuntu.com: https://ubuntu.com/security/CVE-2026-11386

Credits

Frederick Jerusha