Linux Distros Unpatched Vulnerability : CVE-2026-39832

🗓️ 25 May 2026 00:00:00Reported by TenableType

CVE-2026-39832 on Linux: key extensions are serialized and unsupported constraints rejected.

Reporter	Title	Published	Views	Family All 45
ATTACKERKB	CVE-2026-39832	22 May 202602:31	–	attackerkb
Tenable Nessus	Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-39832)	29 May 202600:00	–	nessus
Tenable Nessus	openSUSE 16 Security Update : trivy (openSUSE-SU-2026:20833-1)	1 Jun 202600:00	–	nessus
Tenable Nessus	openSUSE 16 Security Update : apptainer (openSUSE-SU-2026:20834-1)	1 Jun 202600:00	–	nessus
Tenable Nessus	openSUSE 16 Security Update : hauler (openSUSE-SU-2026:20838-1)	1 Jun 202600:00	–	nessus
CBLMariner	CVE-2026-39832 affecting package docker-buildx for versions less than 0.14.0-13	30 May 202600:34	–	cbl_mariner
CBLMariner	CVE-2026-39832 affecting package docker-compose for versions less than 2.27.0-11	30 May 202600:34	–	cbl_mariner
CBLMariner	CVE-2026-39832 affecting package packer for versions less than 1.9.5-14	30 May 202603:37	–	cbl_mariner
CBLMariner	CVE-2026-39832 affecting package telegraf for versions less than 1.31.0-21	30 May 202600:34	–	cbl_mariner
Chainguard	CVE-2026-39832 vulnerabilities	27 May 202613:18	–	cgr

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2026-39832
ubuntu	www.ubuntu.com/security/CVE-2026-39832
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(316565);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/30");

  script_cve_id("CVE-2026-39832");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-39832");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - When adding a key to a remote agent constraint extensions such as [email protected]
    were not serialized in the request. Destination restrictions were silently stripped when forwarding keys,
    allowing unrestricted use of the key on the remote host. The client now serializes all constraint
    extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported
    constraint extensions instead of silently ignoring them. (CVE-2026-39832)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-39832");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-39832");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-39832");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:26.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-go.crypto");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:google-guest-agent");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:lxd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:snapd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-go.crypto");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13", "Host/OS/Ubuntu Linux-16.04", "Host/OS/Ubuntu Linux-18.04", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.10", "Host/OS/Ubuntu Linux-26.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "golang-golang-x-crypto-dev"}
        ]
      }
    ]
  },
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "golang-golang-x-crypto-dev"}
        ]
      }
    ]
  },
  "Debian Linux-13": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "13",
        "pkgs": [
          {"reference": "golang-golang-x-crypto-dev"}
        ]
      }
    ]
  },
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "golang-github-lxc-lxd-dev"},
          {"reference": "golang-github-ubuntu-core-snappy-dev"},
          {"reference": "golang-go.crypto-dev"},
          {"reference": "golang-golang-x-crypto-dev"},
          {"reference": "google-guest-agent"},
          {"reference": "lxc2"},
          {"reference": "lxd"},
          {"reference": "lxd-client"},
          {"reference": "lxd-tools"},
          {"reference": "snapd"},
          {"reference": "ubuntu-core-snapd-units"},
          {"reference": "ubuntu-snappy"},
          {"reference": "ubuntu-snappy-cli"}
        ]
      }
    ]
  },
  "Ubuntu Linux-18.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "18.04",
        "pkgs": [
          {"reference": "golang-github-snapcore-snapd-dev"},
          {"reference": "golang-github-ubuntu-core-snappy-dev"},
          {"reference": "golang-go.crypto"},
          {"reference": "google-guest-agent"},
          {"reference": "lxd"},
          {"reference": "lxd-client"},
          {"reference": "lxd-tools"},
          {"reference": "snap-confine"},
          {"reference": "snapd"},
          {"reference": "snapd-xdg-open"},
          {"reference": "ubuntu-core-launcher"},
          {"reference": "ubuntu-core-snapd-units"},
          {"reference": "ubuntu-snappy"},
          {"reference": "ubuntu-snappy-cli"}
        ]
      }
    ]
  },
  "Ubuntu Linux-20.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "20.04",
        "pkgs": [
          {"reference": "golang-github-snapcore-snapd-dev"},
          {"reference": "golang-github-ubuntu-core-snappy-dev"},
          {"reference": "golang-go.crypto"},
          {"reference": "google-guest-agent"},
          {"reference": "snap-confine"},
          {"reference": "snapd"},
          {"reference": "snapd-xdg-open"},
          {"reference": "ubuntu-core-launcher"},
          {"reference": "ubuntu-core-snapd-units"},
          {"reference": "ubuntu-snappy"},
          {"reference": "ubuntu-snappy-cli"}
        ]
      }
    ]
  },
  "Ubuntu Linux-22.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "22.04",
        "pkgs": [
          {"reference": "golang-github-snapcore-snapd-dev"},
          {"reference": "golang-github-ubuntu-core-snappy-dev"},
          {"reference": "golang-go.crypto"},
          {"reference": "google-guest-agent"},
          {"reference": "snap-confine"},
          {"reference": "snapd"},
          {"reference": "snapd-xdg-open"},
          {"reference": "ubuntu-core-launcher"},
          {"reference": "ubuntu-core-snapd-units"},
          {"reference": "ubuntu-snappy"},
          {"reference": "ubuntu-snappy-cli"}
        ]
      }
    ]
  },
  "Ubuntu Linux-24.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "24.04",
        "pkgs": [
          {"reference": "golang-github-snapcore-snapd-dev"},
          {"reference": "golang-github-ubuntu-core-snappy-dev"},
          {"reference": "golang-go.crypto"},
          {"reference": "google-guest-agent"},
          {"reference": "snap-confine"},
          {"reference": "snapd"},
          {"reference": "snapd-xdg-open"},
          {"reference": "ubuntu-core-launcher"},
          {"reference": "ubuntu-core-snapd-units"},
          {"reference": "ubuntu-snappy"},
          {"reference": "ubuntu-snappy-cli"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "golang-github-snapcore-snapd-dev"},
          {"reference": "golang-github-ubuntu-core-snappy-dev"},
          {"reference": "golang-go.crypto"},
          {"reference": "google-guest-agent"},
          {"reference": "snap-confine"},
          {"reference": "snapd"},
          {"reference": "snapd-xdg-open"},
          {"reference": "ubuntu-core-launcher"},
          {"reference": "ubuntu-core-snapd-units"},
          {"reference": "ubuntu-snappy"},
          {"reference": "ubuntu-snappy-cli"}
        ]
      }
    ]
  },
  "Ubuntu Linux-26.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "26.04",
        "pkgs": [
          {"reference": "golang-github-snapcore-snapd-dev"},
          {"reference": "golang-go.crypto"},
          {"reference": "google-guest-agent"},
          {"reference": "snapd"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

30 May 2026 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.19.1

EPSS0.00068

SSVC