CVE-2026-11386
An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources.
1 article across 1 outlet · first covered Jul 18, 2026 · latest Jul 18, 2026
Tracked incidents
Coverage timeline
-
Ubuntu Pro Client Flaw CVE-2026-11386 Allows Arbitrary Code Execution With Root Privilegessecurityonline.info · Jul 18, 2026