UBUNTU-CVE-2026-55686

Source
https://ubuntu.com/security/CVE-2026-55686
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-55686.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-55686
Upstream
Published
2026-06-26T17:16:00Z
Modified
2026-06-29T23:18:12.521124756Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.

References

Affected packages

Ubuntu:25.10 / podman

Package

Name
podman
Purl
pkg:deb/ubuntu/podman?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.4.1+ds1-1
5.4.2+ds1-1
5.4.2+ds1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "podman",
            "binary_version": "5.4.2+ds1-2"
        },
        {
            "binary_name": "podman-docker",
            "binary_version": "5.4.2+ds1-2"
        },
        {
            "binary_name": "podman-remote",
            "binary_version": "5.4.2+ds1-2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-55686.json"

Ubuntu:26.04:LTS / podman

Package

Name
podman
Purl
pkg:deb/ubuntu/podman?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.4.2+ds1-2
5.7.0+ds2-3
5.7.0+ds2-3build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "podman",
            "binary_version": "5.7.0+ds2-3build1"
        },
        {
            "binary_name": "podman-docker",
            "binary_version": "5.7.0+ds2-3build1"
        },
        {
            "binary_name": "podman-remote",
            "binary_version": "5.7.0+ds2-3build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-55686.json"