UBUNTU-CVE-2026-24049

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-24049

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-24049

Upstream

CVE-2026-24049

Published

2026-01-22T05:16:00Z

Modified

2026-02-23T06:57:36.969706Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator
5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

References

Affected packages

Ubuntu:18.04:LTS

wheel

Package

Name: wheel
Purl: pkg:deb/ubuntu/wheel@0.30.0-0.2ubuntu0.1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.29.0-2

0.30.0-0.2

0.30.0-0.2ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.30.0-0.2ubuntu0.1",
            "binary_name": "python-wheel"
        },
        {
            "binary_version": "0.30.0-0.2ubuntu0.1",
            "binary_name": "python-wheel-common"
        },
        {
            "binary_version": "0.30.0-0.2ubuntu0.1",
            "binary_name": "python3-wheel"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

Ubuntu:20.04:LTS

wheel

Package

Name: wheel
Purl: pkg:deb/ubuntu/wheel@0.34.2-1ubuntu0.1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.32.3-2

0.33.6-1

0.33.6-1ubuntu1

0.33.6-2

0.34.2-1

0.34.2-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.34.2-1ubuntu0.1",
            "binary_name": "python-wheel-common"
        },
        {
            "binary_version": "0.34.2-1ubuntu0.1",
            "binary_name": "python3-wheel"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

Ubuntu:22.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@22.0.2+dfsg-1ubuntu0.7?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.4-4

21.*

21.3.1+dfsg-3

22.*

22.0.2+dfsg-1

22.0.2+dfsg-1ubuntu0.1

22.0.2+dfsg-1ubuntu0.2

22.0.2+dfsg-1ubuntu0.3

22.0.2+dfsg-1ubuntu0.4

22.0.2+dfsg-1ubuntu0.5

22.0.2+dfsg-1ubuntu0.6

22.0.2+dfsg-1ubuntu0.7

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "22.0.2+dfsg-1ubuntu0.7",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "22.0.2+dfsg-1ubuntu0.7",
            "binary_name": "python3-pip-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

wheel

Package

Name: wheel
Purl: pkg:deb/ubuntu/wheel@0.37.1-2ubuntu0.22.04.1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.34.2-1

0.37.1-2

0.37.1-2ubuntu0.22.04.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.37.1-2ubuntu0.22.04.1",
            "binary_name": "python-wheel-common"
        },
        {
            "binary_version": "0.37.1-2ubuntu0.22.04.1",
            "binary_name": "python3-wheel"
        },
        {
            "binary_version": "0.37.1-2ubuntu0.22.04.1",
            "binary_name": "python3-wheel-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

Ubuntu:24.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@24.0+dfsg-1ubuntu1.3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.2+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-1ubuntu1

24.0+dfsg-1ubuntu1.1

24.0+dfsg-1ubuntu1.2

24.0+dfsg-1ubuntu1.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "24.0+dfsg-1ubuntu1.3",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "24.0+dfsg-1ubuntu1.3",
            "binary_name": "python3-pip-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

wheel

Package

Name: wheel
Purl: pkg:deb/ubuntu/wheel@0.42.0-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.41.0-2

0.41.2-1

0.42.0-1

0.42.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.42.0-2",
            "binary_name": "python-wheel-common"
        },
        {
            "binary_version": "0.42.0-2",
            "binary_name": "python3-wheel"
        },
        {
            "binary_version": "0.42.0-2",
            "binary_name": "python3-wheel-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

Ubuntu:25.10

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@25.1.1+dfsg-1ubuntu2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.0+dfsg-1

25.1.1+dfsg-1

25.1.1+dfsg-1ubuntu1

25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

wheel

Package

Name: wheel
Purl: pkg:deb/ubuntu/wheel@0.46.1-2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.45.1-1

0.46.1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.46.1-2",
            "binary_name": "python-wheel-common"
        },
        {
            "binary_version": "0.46.1-2",
            "binary_name": "python3-wheel"
        },
        {
            "binary_version": "0.46.1-2",
            "binary_name": "python3-wheel-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

Ubuntu:Pro:14.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@1.5.4-1ubuntu4+esm5?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.1-2

1.5.4-1

1.5.4-1ubuntu1

1.5.4-1ubuntu3

1.5.4-1ubuntu4

1.5.4-1ubuntu4+esm1

1.5.4-1ubuntu4+esm2

1.5.4-1ubuntu4+esm3

1.5.4-1ubuntu4+esm4

1.5.4-1ubuntu4+esm5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python3-pip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

wheel

Package

Name: wheel
Purl: pkg:deb/ubuntu/wheel@0.24.0-1~ubuntu1.1+esm1?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.24.0-1~ubuntu1

0.24.0-1~ubuntu1.1

0.24.0-1~ubuntu1.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.24.0-1~ubuntu1.1+esm1",
            "binary_name": "python-wheel"
        },
        {
            "binary_version": "0.24.0-1~ubuntu1.1+esm1",
            "binary_name": "python-wheel-common"
        },
        {
            "binary_version": "0.24.0-1~ubuntu1.1+esm1",
            "binary_name": "python3-wheel"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

Ubuntu:Pro:16.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@8.1.1-2ubuntu0.6+esm12?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.6-7ubuntu1

1.5.6-7ubuntu2

8.*

8.0.2-7

8.0.3-1

8.0.3-2

8.1.0-1

8.1.0-2

8.1.1-1

8.1.1-2

8.1.1-2ubuntu0.1

8.1.1-2ubuntu0.2

8.1.1-2ubuntu0.4

8.1.1-2ubuntu0.6

8.1.1-2ubuntu0.6+esm2

8.1.1-2ubuntu0.6+esm3

8.1.1-2ubuntu0.6+esm4

8.1.1-2ubuntu0.6+esm5

8.1.1-2ubuntu0.6+esm6

8.1.1-2ubuntu0.6+esm8

8.1.1-2ubuntu0.6+esm10

8.1.1-2ubuntu0.6+esm11

8.1.1-2ubuntu0.6+esm12

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python3-pip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

wheel

Package

Name: wheel
Purl: pkg:deb/ubuntu/wheel@0.29.0-1ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.26.0-1

0.29.0-1

0.29.0-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.29.0-1ubuntu0.1~esm1",
            "binary_name": "python-wheel"
        },
        {
            "binary_version": "0.29.0-1ubuntu0.1~esm1",
            "binary_name": "python-wheel-common"
        },
        {
            "binary_version": "0.29.0-1ubuntu0.1~esm1",
            "binary_name": "python3-wheel"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

Ubuntu:Pro:18.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@9.0.1-2.3~ubuntu1.18.04.8+esm8?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.0.1-2

9.0.1-2.3~ubuntu1

9.0.1-2.3~ubuntu1.18.04.1

9.0.1-2.3~ubuntu1.18.04.2

9.0.1-2.3~ubuntu1.18.04.3

9.0.1-2.3~ubuntu1.18.04.4

9.0.1-2.3~ubuntu1.18.04.5

9.0.1-2.3~ubuntu1.18.04.5+esm2

9.0.1-2.3~ubuntu1.18.04.5+esm3

9.0.1-2.3~ubuntu1.18.04.6

9.0.1-2.3~ubuntu1.18.04.6+esm1

9.0.1-2.3~ubuntu1.18.04.7

9.0.1-2.3~ubuntu1.18.04.7+esm1

9.0.1-2.3~ubuntu1.18.04.8

9.0.1-2.3~ubuntu1.18.04.8+esm1

9.0.1-2.3~ubuntu1.18.04.8+esm2

9.0.1-2.3~ubuntu1.18.04.8+esm4

9.0.1-2.3~ubuntu1.18.04.8+esm6

9.0.1-2.3~ubuntu1.18.04.8+esm7

9.0.1-2.3~ubuntu1.18.04.8+esm8

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python3-pip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"

Ubuntu:Pro:20.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@20.0.2-5ubuntu1.11+esm4?arch=source&distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.1-5

18.1-5build1

18.1-5ubuntu1

20.*

20.0.2-2

20.0.2-4

20.0.2-5

20.0.2-5ubuntu1

20.0.2-5ubuntu1.1

20.0.2-5ubuntu1.3

20.0.2-5ubuntu1.4

20.0.2-5ubuntu1.5

20.0.2-5ubuntu1.6

20.0.2-5ubuntu1.7

20.0.2-5ubuntu1.8

20.0.2-5ubuntu1.9

20.0.2-5ubuntu1.10

20.0.2-5ubuntu1.10+esm2

20.0.2-5ubuntu1.11

20.0.2-5ubuntu1.11+esm2

20.0.2-5ubuntu1.11+esm3

20.0.2-5ubuntu1.11+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "20.0.2-5ubuntu1.11+esm4",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "20.0.2-5ubuntu1.11+esm4",
            "binary_name": "python3-pip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-24049.json"