Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Local vector and PR:L because symlink pre-placement requires a local account; UI:R because a privileged admin must manually invoke the diagnostic command; C:H for potential /etc/shadow disclosure; no integrity or availability impact applies.
Primary rating from Vendor (canonical).
CVSS VectorVendor: canonical
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.
AnalysisAI
Insecure symlink following in Canonical's ubuntu-pro-client pro collect-logs command allows a low-privileged local attacker to cause a root-executing diagnostic tool to read arbitrary root-owned files - including /etc/shadow - and bundle their contents into a support archive accessible to the attacker. All supported Ubuntu LTS releases from 16.04 through 26.04 are affected, as confirmed by Canonical's own advisory and CPE data spanning the full product history. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local account with at least low privileges on the affected Ubuntu host and write access to the predictable path consumed by `pro collect-logs` - specifically the temporary directory or log staging location the tool uses before archiving. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N encodes a local attack of low complexity requiring low privileges, with the critical limiting factor being UI:R - an administrator must actively invoke `pro collect-logs`, which is not a routine or automated Ubuntu operation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user on a multi-user Ubuntu system identifies the predictable temporary or log directory path consumed by `pro collect-logs` and creates a symbolic link at that path pointing to `/etc/shadow`. When a system administrator later runs `pro collect-logs` to generate a support bundle - for example, before opening a Canonical support ticket - the tool follows the attacker-controlled symlink, reads the shadow password file as root, and bundles its contents into the archive. … |
| Remediation | The primary fix is to upgrade ubuntu-pro-client to the patched version published by Canonical; consult the vendor advisory at https://ubuntu.com/security/CVE-2026-12391 for exact fixed package versions, as no specific patched release was confirmed in the available input data - patch availability is stated as available per vendor advisory but the version cannot be independently confirmed from the provided references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker w
ubuntu-pro-client (formerly ubuntu-advantage-tools) leaks Ubuntu Pro bearer tokens to unprivileged local users via the L
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44912
GHSA-whf7-7mxf-ww93