UBUNTU-CVE-2026-39977

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-39977
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39977.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-39977
Upstream
  • CVE-2026-39977
Published
2026-04-09T20:16:00Z
Modified
2026-05-20T16:25:38.531287082Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using gfileresolverelativepath() and validated to stay inside the source directory using two checks - gfilegetrelativepath() which does not resolve symlinks and gfilequeryfiletype() with GFILEQUERYINFONOFOLLOW_SYMLINKS which only applies to the final path component. The copy operation runs on host. This can be exploited by using a crafted manifest and/or source to read arbitrary files from the host and capture them into the build output. This vulnerability is fixed in 1.4.8.

References

Affected packages

Ubuntu:25.10 / flatpak-builder

Package

Name
flatpak-builder
Purl
pkg:deb/ubuntu/flatpak-builder?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.4.4-2
1.4.4-2build1
1.4.5-1
1.4.6-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "flatpak-builder",
            "binary_version": "1.4.6-2"
        },
        {
            "binary_name": "flatpak-builder-tests",
            "binary_version": "1.4.6-2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39977.json"

Ubuntu:26.04:LTS / flatpak-builder

Package

Name
flatpak-builder
Purl
pkg:deb/ubuntu/flatpak-builder?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.8-1

Affected versions

1.*
1.4.6-2
1.4.7-1

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "flatpak-builder",
            "binary_version": "1.4.8-1"
        },
        {
            "binary_name": "flatpak-builder-tests",
            "binary_version": "1.4.8-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39977.json"