Vulners
Lucene search
Linux Distros Unpatched Vulnerability : CVE-2026-42027
| Reporter | Title | Published | Views | Family All 26 |
|---|---|---|---|---|
 | CVE-2026-42027 | 4 May 202616:43 | – | attackerkb |
 | CVE-2026-42027 vulnerabilities | 9 May 202613:17 | – | cgr |
 | CVE-2026-42027 | 5 May 202620:20 | – | circl |
 | Apache OpenNLP 安全漏洞 | 4 May 202600:00 | – | cnnvd |
 | CVE-2026-42027 | 4 May 202616:43 | – | cve |
 | CVE-2026-42027 Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader | 4 May 202616:43 | – | cvelist |
 | CVE-2026-42027 | 4 May 202616:43 | – | debiancve |
 | EUVD-2026-27005 | 4 May 202616:43 | – | euvd |
 | Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest | 4 May 202618:30 | – | github |
 | CVE-2026-42027 | 4 May 202617:16 | – | nvd |
10
| Source | Link |
|---|---|
| security-tracker | www.security-tracker.debian.org/tracker/CVE-2026-42027 |
| ubuntu | www.ubuntu.com/security/CVE-2026-42027 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(312234);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/22");
script_cve_id("CVE-2026-42027");
script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-42027");
script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.
- Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected:
before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method
loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the
class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom
check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory
for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has
already loaded and initialized the named class. Class.forName() with default initialization semantics
executes the target class's static initializer before returning, so an attacker who can supply a crafted
model archive can cause the static initializer of any class on the classpath to run during model loading,
regardless of whether that class passes the subsequent type check. Exploitation requires a class with
attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or
filesystem access) to be present on the classpath, so this is not a drop-in remote code execution;
however, the attack surface grows as third-party model distribution becomes more common (community model
repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not
control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or
ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such
a class and force its constructor to run during model load. Mitigation: * 2.x users should upgrade to
2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is
consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never
executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models
referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically
via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the
OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users
who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and
should audit their classpath for classes with side-effecting static initializers or constructors,
particularly any that perform JNDI lookups, network requests, or filesystem operations during class
initialization. (CVE-2026-42027)
Note that Nessus relies on the presence of the package as reported by the vendor.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-42027");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-42027");
script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42027");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/05");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache-opennlp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:apache-opennlp");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.10");
exit(0);
}
if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);
include('linux_unpatched.inc');
var distro_constraints_array = {
"Debian Linux-11": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "11",
"pkgs": [
{"reference": "libapache-opennlp-java"},
{"reference": "opennlp"}
]
}
]
},
"Debian Linux-12": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "12",
"pkgs": [
{"reference": "libapache-opennlp-java"},
{"reference": "opennlp"}
]
}
]
},
"Debian Linux-13": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "13",
"pkgs": [
{"reference": "libapache-opennlp-java"},
{"reference": "opennlp"}
]
}
]
},
"Ubuntu Linux-20.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "20.04",
"pkgs": [
{"reference": "apache-opennlp"}
]
}
]
},
"Ubuntu Linux-22.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "22.04",
"pkgs": [
{"reference": "apache-opennlp"}
]
}
]
},
"Ubuntu Linux-24.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "24.04",
"pkgs": [
{"reference": "apache-opennlp"}
]
}
]
},
"Ubuntu Linux-25.10": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "25.10",
"pkgs": [
{"reference": "apache-opennlp"}
]
}
]
}
};
var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);
if (!empty_or_null(report))
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : report
);
exit(0);
}
else
{
audit(AUDIT_HOST_NOT, 'affected');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 May 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.19.8
EPSS0.00641
SSVC