UBUNTU-CVE-2026-39894

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-39894

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-39894

Upstream

CVE-2026-39894

Published

2026-06-26T00:00:00Z

Modified

2026-06-26T12:28:20.994671478Z

Severity

2.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupdate() can corrupt RRDtool metric values. The rrdtoolfunctionupdate() function checks metric values with isnumeric() and concatenates them into the RRDtool update command via PHP string interpolation. PHP's string cast of floats is locale-sensitive: if LCNUMERIC uses comma as decimal separator (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as decimal separator, causing metric data to shift into wrong columns or be silently dropped. No setlocale() reset is present in the update path. This causes a data integrity issue, but is not remotely exploitable; it requires server locale misconfiguration. The issue has been fixed in version 1.2.31.

References

Affected packages

Ubuntu:24.04:LTS

cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.25+ds1-2

1.2.26+ds1-1

1.2.26+ds1-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.2.26+ds1-1ubuntu0.1",
            "binary_name": "cacti"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json"

Ubuntu:25.10

cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.28+ds1-4ubuntu1

1.2.30+ds1-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.2.30+ds1-1ubuntu1",
            "binary_name": "cacti"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json"

Ubuntu:26.04:LTS

cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.30+ds1-1ubuntu1

1.2.30+ds1-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.2.30+ds1-1ubuntu2",
            "binary_name": "cacti"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json"

Ubuntu:Pro:14.04:LTS

cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.8b+dfsg-3

0.8.8b+dfsg-5

0.8.8b+dfsg-5ubuntu0.1

0.8.8b+dfsg-5ubuntu0.2

0.8.8b+dfsg-5ubuntu0.2+esm1

0.8.8b+dfsg-5ubuntu0.2+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.8.8b+dfsg-5ubuntu0.2+esm2",
            "binary_name": "cacti"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json"

Ubuntu:Pro:16.04:LTS

cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.8f+ds1-2

0.8.8f+ds1-3

0.8.8f+ds1-4

0.8.8f+ds1-4ubuntu1

0.8.8f+ds1-4ubuntu2

0.8.8f+ds1-4ubuntu3

0.8.8f+ds1-4ubuntu4

0.8.8f+ds1-4ubuntu4.16.04

0.8.8f+ds1-4ubuntu4.16.04.1

0.8.8f+ds1-4ubuntu4.16.04.2

0.8.8f+ds1-4ubuntu4.16.04.2+esm1

0.8.8f+ds1-4ubuntu4.16.04.2+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.8.8f+ds1-4ubuntu4.16.04.2+esm2",
            "binary_name": "cacti"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json"

Ubuntu:Pro:18.04:LTS

cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.18+ds1-1

1.1.27+ds1-2

1.1.27+ds1-3

1.1.28+ds1-2

1.1.35+ds1-1

1.1.36+ds1-1

1.1.38+ds1-1

1.1.38+ds1-1ubuntu0.1~esm1

1.1.38+ds1-1ubuntu0.1~esm3

1.1.38+ds1-1ubuntu0.1~esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.1.38+ds1-1ubuntu0.1~esm4",
            "binary_name": "cacti"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json"

Ubuntu:Pro:20.04:LTS

cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.4+ds1-2ubuntu3

1.2.9+ds1-1ubuntu1

1.2.9+ds1-1ubuntu2

1.2.10+ds1-1ubuntu1

1.2.10+ds1-1ubuntu1+esm1

1.2.10+ds1-1ubuntu1.1

1.2.10+ds1-1ubuntu1.1+esm1

1.2.10+ds1-1ubuntu1.1+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.2.10+ds1-1ubuntu1.1+esm2",
            "binary_name": "cacti"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json"

Ubuntu:Pro:22.04:LTS

cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.16+ds1-2ubuntu1

1.2.19+ds1-2ubuntu1

1.2.19+ds1-2ubuntu1+esm1

1.2.19+ds1-2ubuntu1.1

1.2.19+ds1-2ubuntu1.1+esm1

1.2.19+ds1-2ubuntu1.1+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.2.19+ds1-2ubuntu1.1+esm2",
            "binary_name": "cacti"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39894.json"