{"id":"USN-8496-3","summary":"cifs-utils vulnerability","details":"USN-8496-1 fixed vulnerabilities in cifs-utils. The update caused a\nregression and was backed out in USN-8496-2. This update reintroduces the\nsecurity fix, along with a fix for the regression.\n\nOriginal advisory details:\n\n It was discovered that cifs-utils incorrectly dropped root privileges\n before looking up user information. A local attacker could possibly use\n this issue to execute arbitrary code as the root user.","modified":"2026-07-13T20:44:42.240191956Z","published":"2026-07-13T12:33:26Z","related":["UBUNTU-CVE-2026-12505"],"upstream":["CVE-2026-12505","UBUNTU-CVE-2026-12505"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8496-3"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-12505"}],"affected":[{"package":{"name":"cifs-utils","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/cifs-utils?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:6.14-1ubuntu0.6"}]}],"versions":["2:6.11-3.1","2:6.14-1","2:6.14-1build1","2:6.14-1ubuntu0.1","2:6.14-1ubuntu0.2","2:6.14-1ubuntu0.3","2:6.14-1ubuntu0.4","2:6.14-1ubuntu0.5"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"cifs-utils","binary_version":"2:6.14-1ubuntu0.6"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-12505","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8496-3.json"}},{"package":{"name":"cifs-utils","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/cifs-utils?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:7.0-2ubuntu0.5"}]}],"versions":["2:7.0-2","2:7.0-2build1","2:7.0-2ubuntu0.1","2:7.0-2ubuntu0.2","2:7.0-2ubuntu0.3","2:7.0-2ubuntu0.4"],"ecosystem_specific":{"binaries":[{"binary_version":"2:7.0-2ubuntu0.5","binary_name":"cifs-utils"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8496-3.json","cves_map":{"cves":[{"id":"CVE-2026-12505","severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:24.04:LTS"}}},{"package":{"name":"cifs-utils","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/cifs-utils?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:7.4-1ubuntu0.26.04.3"}]}],"versions":["2:7.4-1","2:7.4-1build1","2:7.4-1ubuntu0.26.04.1","2:7.4-1ubuntu0.26.04.2"],"ecosystem_specific":{"binaries":[{"binary_version":"2:7.4-1ubuntu0.26.04.3","binary_name":"cifs-utils"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:26.04:LTS","cves":[{"id":"CVE-2026-12505","severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8496-3.json"}}],"schema_version":"1.7.5"}