Ubuntu 16 04 Lts
Monthly
Insecure symlink following in Canonical's ubuntu-pro-client `pro collect-logs` command allows a low-privileged local attacker to cause a root-executing diagnostic tool to read arbitrary root-owned files - including `/etc/shadow` - and bundle their contents into a support archive accessible to the attacker. All supported Ubuntu LTS releases from 16.04 through 26.04 are affected, as confirmed by Canonical's own advisory and CPE data spanning the full product history. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack primitive is trivially simple - standard Unix symlink creation - making exploitation straightforward once local access is obtained.
Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker who can spoof or tamper with the Ubuntu Pro contract server response to inject arbitrary APT source lines and install malicious root-owned packages. The client builds /etc/apt/sources.list.d entries from the server's directives.suites[] and directives.aptURL fields via Python str.format() without escaping or newline filtering, and passes additionalPackages[] positionally into a root-run apt-get install. Because the component is preinstalled on supported Ubuntu Server releases and auto-attaches on cloud Ubuntu Pro images the exposure is broad; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
ubuntu-pro-client (formerly ubuntu-advantage-tools) leaks Ubuntu Pro bearer tokens to unprivileged local users via the Linux /proc filesystem on all supported Ubuntu LTS releases from 14.04 through 26.04. When the client validates APT credentials, it spawns /usr/lib/apt/apt-helper with the secret token embedded in a cleartext URL argument (https://bearer:<token>@esm.ubuntu.com/), which any local low-privileged user can read from /proc/<pid>/cmdline on default-configured systems. The stolen token enables unauthorized access to the victim's Ubuntu Pro ESM repositories. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
Insecure symlink following in Canonical's ubuntu-pro-client `pro collect-logs` command allows a low-privileged local attacker to cause a root-executing diagnostic tool to read arbitrary root-owned files - including `/etc/shadow` - and bundle their contents into a support archive accessible to the attacker. All supported Ubuntu LTS releases from 16.04 through 26.04 are affected, as confirmed by Canonical's own advisory and CPE data spanning the full product history. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack primitive is trivially simple - standard Unix symlink creation - making exploitation straightforward once local access is obtained.
Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker who can spoof or tamper with the Ubuntu Pro contract server response to inject arbitrary APT source lines and install malicious root-owned packages. The client builds /etc/apt/sources.list.d entries from the server's directives.suites[] and directives.aptURL fields via Python str.format() without escaping or newline filtering, and passes additionalPackages[] positionally into a root-run apt-get install. Because the component is preinstalled on supported Ubuntu Server releases and auto-attaches on cloud Ubuntu Pro images the exposure is broad; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
ubuntu-pro-client (formerly ubuntu-advantage-tools) leaks Ubuntu Pro bearer tokens to unprivileged local users via the Linux /proc filesystem on all supported Ubuntu LTS releases from 14.04 through 26.04. When the client validates APT credentials, it spawns /usr/lib/apt/apt-helper with the secret token embedded in a cleartext URL argument (https://bearer:<token>@esm.ubuntu.com/), which any local low-privileged user can read from /proc/<pid>/cmdline on default-configured systems. The stolen token enables unauthorized access to the victim's Ubuntu Pro ESM repositories. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.