TL;DR
Canonical shipped fixes for CVE-2026-11386 in USN-8555-1 on July 16, 2026. This Ubuntu Pro Client vulnerability scores CVSS 9.0 and can end in arbitrary code execution with root privileges. Frederick Jerusha reported the issue.
Why it matters
The client ships preinstalled on supported Ubuntu Server releases. It also auto-attaches by default on cloud provider Ubuntu Pro images. The blast radius therefore covers a large fleet of servers and cloud instances.
Canonical’s own ratings diverge slightly. The CVSS base score lands at 9.0 Critical, yet Canonical assigns an internal priority of High. The vector marks scope as Changed, which reflects the jump to root.
How the attack works
The Ubuntu Pro Client writes APT source files using data from the contract server. It pulls the directives.suites[] and directives.aptURL fields straight into those files. Python’s str.format() handles the writing, with no escaping and no newline filtering. Embedded newline characters can therefore inject attacker-chosen deb lines into root-owned APT sources.
A second gap compounds the first. The unvalidated additionalPackages[] field passes positionally into a root-executed apt-get install. An attacker who spoofs or tampers with the contract response can then force malicious package installs. That chain ends in code execution with root privileges.
Getting there takes work, though. Canonical rates attack complexity as High. Plausible routes include compromised internal infrastructure or an intercepted connection using a trusted CA.
Exploitation status
Nobody has confirmed exploitation in the wild. No public proof-of-concept exists either.
Affected versions
Canonical patched ubuntu-advantage-tools across every supported LTS line:
- 26.04 LTS: 37.2ubuntu0.1
- 24.04 LTS: 37.2ubuntu~24.04.1
- 22.04 LTS: 37.2ubuntu~22.04.1
- 20.04 and 18.04 LTS: 37.1ubuntu0~20.04.1 and 37.1ubuntu0~18.04.1, via Ubuntu Pro
- 16.04 and 14.04 LTS: via Ubuntu Pro with the Legacy Support add-on
One gap stands out. Canonical marks Ubuntu 25.10 (questing) as ignored because it reached end of life, so no patch lands there.
Patch and mitigation steps
Run a standard system update. That pulls the fix on supported releases, and no workaround exists otherwise. Check Canonical’s advisory for CVE-2026-11386 for exact per-release package versions.
USN-8555-1 bundles two more Pro Client fixes worth noting. CVE-2026-9494 exposed the Pro bearer token in command-line arguments. CVE-2026-12391 mishandled symbolic links during log collection. Patch once and you close this Ubuntu Pro Client vulnerability alongside both. Anyone still on 25.10 should upgrade the release itself.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.