EUVD-2026-38297
GHSA-crm4-q7v4-c2r2
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:I/V:D/RE:L/U:Red
Network MITM is required (AV:N, AC:H), no auth or interaction needed (PR:N/UI:N); poisoning the OS trust store breaks TLS for all client apps, crossing a trust boundary, so S:C with C/I/A:H.
Primary rating from Vendor (canonical).
CVSS VectorVendor: canonical
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:I/V:D/RE:L/U:Red
Lifecycle Timeline
8DescriptionCVE.org
An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
Articles & Coverage 2
AnalysisAI
TLS trust store poisoning in Canonical ADSys through v0.16.2 allows a network-positioned attacker to inject an arbitrary Root CA certificate into managed Ubuntu hosts during Active Directory Certificate Services auto-enrollment. The vendored Samba GPO extension fetches the CA certificate over plaintext HTTP from the AD CS GetCACert endpoint, and the response is registered into the system trust store via update-ca-certificates without authenticity validation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target Ubuntu host to be joined to an Active Directory domain with ADSys configured and the AD CS certificate auto-enrollment Group Policy applied, since the vulnerable code path is gp_cert_auto_enroll_ext.py. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N) with all VC/VI/VA and SC/SI/SA set to High accurately reflects that an unauthenticated network attacker who can MITM the host-to-CA path achieves total compromise of the TLS trust boundary on the victim and downstream subsequent systems it communicates with. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same broadcast domain or upstream router as a managed Ubuntu workstation uses ARP spoofing or rogue DHCP/DNS to intercept the periodic HTTP GetCACert request that the ADSys auto-enrollment extension sends to the configured AD CS hostname. The attacker responds with an attacker-controlled Root CA certificate; ADSys writes it into the system trust store via update-ca-certificates, after which the attacker can present forged certificates for any domain (banking, IdP, package mirrors) and silently decrypt or modify the victim's TLS traffic. |
| Remediation | Vendor-released patch: ADSys v0.16.3, which replaces the plaintext http:// scheme with https:// in the GetCACert request (commit https://github.com/ubuntu/adsys/commit/8b1939f96d3827b4426eb06c1ced5bf317b0a99d); upgrade the adsys package on all AD-joined Ubuntu hosts to that version or the distribution-specific backport tracked in https://ubuntu.com/security/CVE-2026-12249. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Ubuntu hosts running Canonical ADSys v0.16.2 or earlier with AD CS auto-enrollment active. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on
Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom
Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co
Share
External POC / Exploit Code
Leaving vuln.today