Skip to main content

Ubuntu 18 04 Lts

3 CVEs product

Monthly

CVE-2026-12391 MEDIUM PATCH This Month

Insecure symlink following in Canonical's ubuntu-pro-client `pro collect-logs` command allows a low-privileged local attacker to cause a root-executing diagnostic tool to read arbitrary root-owned files - including `/etc/shadow` - and bundle their contents into a support archive accessible to the attacker. All supported Ubuntu LTS releases from 16.04 through 26.04 are affected, as confirmed by Canonical's own advisory and CPE data spanning the full product history. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack primitive is trivially simple - standard Unix symlink creation - making exploitation straightforward once local access is obtained.

Ubuntu Canonical Information Disclosure Ubuntu Pro Client Ubuntu Advantage Tools Ubuntu 26 04 Lts +5
NVD VulDB
CVSS 3.1
5.0
CVE-2026-11386 CRITICAL PATCH Act Now

Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker who can spoof or tamper with the Ubuntu Pro contract server response to inject arbitrary APT source lines and install malicious root-owned packages. The client builds /etc/apt/sources.list.d entries from the server's directives.suites[] and directives.aptURL fields via Python str.format() without escaping or newline filtering, and passes additionalPackages[] positionally into a root-run apt-get install. Because the component is preinstalled on supported Ubuntu Server releases and auto-attaches on cloud Ubuntu Pro images the exposure is broad; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Ubuntu Canonical RCE Ubuntu Pro Client Ubuntu Advantage Tools +7
NVD VulDB
CVSS 3.1
9.0
CVE-2026-9494 MEDIUM PATCH This Month

ubuntu-pro-client (formerly ubuntu-advantage-tools) leaks Ubuntu Pro bearer tokens to unprivileged local users via the Linux /proc filesystem on all supported Ubuntu LTS releases from 14.04 through 26.04. When the client validates APT credentials, it spawns /usr/lib/apt/apt-helper with the secret token embedded in a cleartext URL argument (https://bearer:<token>@esm.ubuntu.com/), which any local low-privileged user can read from /proc/<pid>/cmdline on default-configured systems. The stolen token enables unauthorized access to the victim's Ubuntu Pro ESM repositories. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Ubuntu Canonical Authentication Bypass Information Disclosure Ubuntu Pro Client Ubuntu Advantage Tools +7
NVD
CVSS 3.1
5.5
CVSS 5.0
MEDIUM PATCH This Month

Insecure symlink following in Canonical's ubuntu-pro-client `pro collect-logs` command allows a low-privileged local attacker to cause a root-executing diagnostic tool to read arbitrary root-owned files - including `/etc/shadow` - and bundle their contents into a support archive accessible to the attacker. All supported Ubuntu LTS releases from 16.04 through 26.04 are affected, as confirmed by Canonical's own advisory and CPE data spanning the full product history. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack primitive is trivially simple - standard Unix symlink creation - making exploitation straightforward once local access is obtained.

Ubuntu Canonical Information Disclosure +7
NVD VulDB
CVSS 9.0
CRITICAL PATCH Act Now

Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker who can spoof or tamper with the Ubuntu Pro contract server response to inject arbitrary APT source lines and install malicious root-owned packages. The client builds /etc/apt/sources.list.d entries from the server's directives.suites[] and directives.aptURL fields via Python str.format() without escaping or newline filtering, and passes additionalPackages[] positionally into a root-run apt-get install. Because the component is preinstalled on supported Ubuntu Server releases and auto-attaches on cloud Ubuntu Pro images the exposure is broad; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Ubuntu Canonical +9
NVD VulDB
CVSS 5.5
MEDIUM PATCH This Month

ubuntu-pro-client (formerly ubuntu-advantage-tools) leaks Ubuntu Pro bearer tokens to unprivileged local users via the Linux /proc filesystem on all supported Ubuntu LTS releases from 14.04 through 26.04. When the client validates APT credentials, it spawns /usr/lib/apt/apt-helper with the secret token embedded in a cleartext URL argument (https://bearer:<token>@esm.ubuntu.com/), which any local low-privileged user can read from /proc/<pid>/cmdline on default-configured systems. The stolen token enables unauthorized access to the victim's Ubuntu Pro ESM repositories. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Ubuntu Canonical Authentication Bypass +9
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy