Search criteria

2 vulnerabilities found for Ubuntu 24.04 LTS by Canonical

CVE-2026-12249 (GCVE-0-2026-12249)

Vulnerability from cvelistv5 – Published: 2026-06-22 15:43 – Updated: 2026-06-22 17:30
VLAI?
Title
Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment
Summary
An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
CWE
  • CWE-348 - Improper verification of cryptographic signature
Assigner
Impacted products
Vendor Product Version
Affected: 0.13.0 , < 0.16.3 (semver)
    Canonical Ubuntu 20.04 LTS Unaffected: 0.9.2~20.04.2ubuntu0.1+esm2 (dpkg)
Create a notification for this product.
    Canonical Ubuntu 22.04 LTS Unaffected: 0.16.3~22.04.2ubuntu0.22.04.1 (dpkg)
Create a notification for this product.
    Canonical Ubuntu 24.04 LTS Unaffected: 0.16.3~24.04.2ubuntu0.24.04.1 (dpkg)
Create a notification for this product.
    Canonical Ubuntu 25.10 Unaffected: 0.16.3 (dpkg)
Create a notification for this product.
    Canonical Ubuntu 26.04 LTS Unaffected: 0.16.4ubuntu1 (dpkg)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12249",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T17:30:38.451893Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T17:30:57.314Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/ubuntu",
          "defaultStatus": "unaffected",
          "packageName": "adsys",
          "repo": "https://github.com/ubuntu/adsys",
          "versions": [
            {
              "lessThan": "0.16.3",
              "status": "affected",
              "version": "0.13.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/focal",
          "defaultStatus": "unaffected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 20.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.9.2~20.04.2ubuntu0.1+esm2",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/jammy",
          "defaultStatus": "affected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 22.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.16.3~22.04.2ubuntu0.22.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/noble",
          "defaultStatus": "affected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 24.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.16.3~24.04.2ubuntu0.24.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/questing",
          "defaultStatus": "unaffected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 25.10",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.16.3",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/resolute",
          "defaultStatus": "unaffected",
          "packageName": "adsys",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 26.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/adsys",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "0.16.4ubuntu1",
              "versionType": "dpkg"
            }
          ]
        }
      ],
      "datePublic": "2026-06-19T11:58:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-94",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-94 Adversary in the Middle (AiTM)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "IRRECOVERABLE",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:I/V:D/RE:L/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-348",
              "description": "Improper verification of cryptographic signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T15:45:03.920Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "issue-tracking"
          ],
          "url": "https://ubuntu.com/security/CVE-2026-12249"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ubuntu/adsys/commit/8b1939f96d3827b4426eb06c1ced5bf317b0a99d"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-12249",
    "datePublished": "2026-06-22T15:43:33.890Z",
    "dateReserved": "2026-06-15T08:01:59.335Z",
    "dateUpdated": "2026-06-22T17:30:57.314Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3888 (GCVE-0-2026-3888)

Vulnerability from cvelistv5 – Published: 2026-03-17 14:02 – Updated: 2026-03-18 08:59
VLAI?
Title
Local Privilege Escalation in snapd
Summary
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
CWE
Assigner
References
Impacted products
Vendor Product Version
Affected: 0 , < 2.75.1 (semver)
    Canonical Ubuntu 16.04 LTS Unaffected: 2.61.4ubuntu0.16.04.1+esm2 , < * (dpkg)
Create a notification for this product.
    Canonical Ubuntu 18.04 LTS Unaffected: 2.61.4ubuntu0.18.04.1+esm2 , < * (dpkg)
Create a notification for this product.
    Canonical Ubuntu 20.04 LTS Unaffected: 2.67.1+20.04ubuntu1~esm1 , < * (dpkg)
Create a notification for this product.
    Canonical Ubuntu 22.04 LTS Unaffected: 2.73+ubuntu22.04.1 , < * (dpkg)
Create a notification for this product.
    Canonical Ubuntu 24.04 LTS Unaffected: 2.73+ubuntu24.04.2 , < * (dpkg)
Create a notification for this product.
Credits
Qualys Security Advisory Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3888",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T03:55:45.787Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-18T03:02:10.640Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/18/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/canonical",
          "defaultStatus": "unaffected",
          "packageName": "snapd",
          "repo": "https://github.com/canonical/snapd/",
          "versions": [
            {
              "lessThan": "2.75.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/xenial",
          "defaultStatus": "affected",
          "packageName": "snapd",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 16.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/snapd",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.61.4ubuntu0.16.04.1+esm2",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/bionic",
          "defaultStatus": "affected",
          "packageName": "snapd",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 18.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/snapd",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.61.4ubuntu0.18.04.1+esm2",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/focal",
          "defaultStatus": "affected",
          "packageName": "snapd",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 20.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/snapd",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.67.1+20.04ubuntu1~esm1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/jammy",
          "defaultStatus": "affected",
          "packageName": "snapd",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 22.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/snapd",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.73+ubuntu22.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/noble",
          "defaultStatus": "affected",
          "packageName": "snapd",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 24.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/snapd",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.73+ubuntu24.04.2",
              "versionType": "dpkg"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Qualys Security Advisory Team"
        }
      ],
      "datePublic": "2026-03-17T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap\u0027s private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-268",
              "description": "CWE-268 Privilege chaining",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T08:59:07.522Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "issue-tracking"
          ],
          "url": "https://ubuntu.com/security/CVE-2026-3888"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://ubuntu.com/security/notices/USN-8102-1"
        },
        {
          "tags": [
            "technical-description",
            "vendor-advisory"
          ],
          "url": "https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888"
        },
        {
          "tags": [
            "technical-description",
            "media-coverage"
          ],
          "url": "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root"
        },
        {
          "tags": [
            "technical-description",
            "media-coverage"
          ],
          "url": "https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Local Privilege Escalation in snapd"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-3888",
    "datePublished": "2026-03-17T14:02:08.475Z",
    "dateReserved": "2026-03-10T16:03:08.583Z",
    "dateUpdated": "2026-03-18T08:59:07.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}