A path validation flaw (CVE-2026-41082) in the opam package manager allows an attacker to bypass sandbox protections and write files to arbitrary locations by providing a specially crafted package, potentially leading to arbitrary code execution. The vulnerability affects multiple Ubuntu LTS releases, including 26.04, 24.04, 22.04, and 20.04. The issue is corrected by updating to the specific package versions listed in the notice, such as opam version 2.5.0-1ubuntu0.1~esm1 for Ubuntu 26.04 LTS.
Ubuntu Security Notices USN-8256-1 USN-8256-1: opam vulnerability Publication date 7 May 2026 Overview opam could be made to install files in unintended locations if it installed a specially crafted package. Releases 26.04 LTS 25.10 24.04 LTS 22.04 LTS 20.04 LTS Open side navigation Close side navigation Packages Details Update instructions References Packages opam - package manager for OCaml Details Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An attacker could use this issue to bypass sandbox protections and write files to arbitrary locations, possibly leading to arbitrary code execution. Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An attacker could use this issue to bypass sandbox protections and write files to arbitrary locations, possibly leading to arbitrary code execution. Update instructions In general, a standard system update will make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 26.04 LTS resolute opam – 2.5.0-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. opam-installer – 2.5.0-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. 25.10 questing opam – 2.3.0-1+deb13u1build0.25.10.1 opam-installer – 2.3.0-1+deb13u1build0.25.10.1 24.04 LTS noble opam – 2.1.5-1ubuntu0.1~esm2 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. opam-installer – 2.1.5-1ubuntu0.1~esm2 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. 22.04 LTS jammy opam – 2.1.2-1+deb12u1build0.22.04.1 opam-installer – 2.1.2-1+deb12u1build0.22.04.1 20.04 LTS focal opam – 2.0.5-1ubuntu1+esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. opam-installer – 2.0.5-1ubuntu1+esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2026-41082 CVE-2026-41082