UBUNTU-CVE-2026-57231

Source
https://ubuntu.com/security/CVE-2026-57231
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57231.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-57231
Upstream
Published
2026-06-26T17:16:00Z
Modified
2026-06-29T23:19:15.859724711Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk (*) will cause podman to pass all host variables into the container. So essentially a malicious image can exfiltrate all podman environment variables that are set in the session from where the container is launched. This vulnerability is fixed in 5.8.4 and 6.0.0.

References

Affected packages

Ubuntu:25.10 / podman

Package

Name
podman
Purl
pkg:deb/ubuntu/podman?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.4.1+ds1-1
5.4.2+ds1-1
5.4.2+ds1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "podman",
            "binary_version": "5.4.2+ds1-2"
        },
        {
            "binary_name": "podman-docker",
            "binary_version": "5.4.2+ds1-2"
        },
        {
            "binary_name": "podman-remote",
            "binary_version": "5.4.2+ds1-2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57231.json"

Ubuntu:26.04:LTS / podman

Package

Name
podman
Purl
pkg:deb/ubuntu/podman?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.4.2+ds1-2
5.7.0+ds2-3
5.7.0+ds2-3build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "podman",
            "binary_version": "5.7.0+ds2-3build1"
        },
        {
            "binary_name": "podman-docker",
            "binary_version": "5.7.0+ds2-3build1"
        },
        {
            "binary_name": "podman-remote",
            "binary_version": "5.7.0+ds2-3build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57231.json"