CVE-2026-39958 Overview
CVE-2026-39958 is an improper input validation vulnerability in oma, the package manager for AOSC OS. Prior to version 1.25.2, the oma-topics component is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" from remote repository servers at {mirror}/debs/manifest/topics.json, registering them as APT source entries. However, the name field in said metadata was not checked for transliteration or control characters. A malicious party could supply a malformed Topic Manifest containing control characters, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata.
Critical Impact
A successful exploitation could allow an attacker to inject arbitrary APT repository sources into the system configuration, potentially leading to the installation of malicious packages and full system compromise through supply chain attacks.
Affected Products
- oma (AOSC OS Package Manager) versions prior to 1.25.2
- AOSC OS systems using affected oma-topics functionality
- Systems with topics repository configuration enabled
Discovery Timeline
- 2026-04-09 - CVE-2026-39958 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39958
Vulnerability Analysis
This vulnerability is classified as CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection'). The root issue lies in the oma-topics component's failure to validate and sanitize topic names fetched from remote manifest files before writing them to APT source configuration files.
When oma-topics retrieves the topics.json manifest from a remote mirror, it processes the name field without checking for control characters such as carriage returns (\r), line feeds (\n), or other special characters. Since APT source list files are line-based configuration files, an attacker who controls a mirror or can perform a man-in-the-middle attack could craft a topic name containing newline characters followed by a malicious repository URL. This would result in an additional, attacker-controlled APT source being injected into /etc/apt/sources.list.d/atm.list.
Root Cause
The vulnerability stems from insufficient input validation in the topic name parsing logic. The name field from the JSON manifest was directly used without sanitization, allowing control characters to be embedded and subsequently written to configuration files. This is a classic CRLF injection scenario where user-controlled or remote-controlled data is used in a context where newline characters have special meaning.
Attack Vector
The attack requires network access and the ability to serve or modify Topic Manifest data. An attacker could exploit this vulnerability through:
- Compromised Mirror: If an attacker gains control of an AOSC OS mirror server, they can serve malicious topic manifests to all users fetching from that mirror.
- Man-in-the-Middle Attack: On networks where the attacker can intercept traffic, they could modify the topics.json response in transit.
- Malicious Mirror Registration: Convincing users to add a malicious mirror to their configuration.
The security patch adds validation to reject topic names containing control characters:
failed-to-operate-path = Failed to perform file operations in { $p }.
failed-to-get-parent-path = Failed to get parent path of { $p }.
failed-to-read-file-metadata = Failed to read file metadata for { $p }.
+illegal-topic-entry = Topic entry contains illegal character(s): { $name }.
failed-to-get-rg-process-info = Failed to get process status for `rg'.
failed-to-calculate-available-space = Failed to calculate available storage space.
failed-to-create-http-client = Failed to create an HTTP client.
Source: GitHub Commit Update
Detection Methods for CVE-2026-39958
Indicators of Compromise
- Unexpected or unauthorized entries in /etc/apt/sources.list.d/atm.list
- APT source entries pointing to unknown or suspicious repository URLs
- Unusual package installation attempts from unrecognized repositories
- Network connections to unknown mirror servers during package operations
Detection Strategies
- Monitor changes to /etc/apt/sources.list.d/atm.list using file integrity monitoring tools
- Audit APT source configurations for entries containing control characters or unexpected URLs
- Review oma-topics logs for any unusual topic names or manifest processing errors
- Implement network monitoring to detect connections to unauthorized package repositories
Monitoring Recommendations
- Deploy file integrity monitoring (FIM) on APT source configuration directories
- Set up alerts for any modifications to /etc/apt/sources.list.d/ files outside of authorized maintenance windows
- Monitor DNS queries and network traffic for connections to unfamiliar package mirror domains
- Implement centralized logging for package manager operations
How to Mitigate CVE-2026-39958
Immediate Actions Required
- Update oma to version 1.25.2 or later immediately
- Review /etc/apt/sources.list.d/atm.list for any suspicious or malformed entries
- Verify the integrity of configured package mirrors
- Consider temporarily disabling topics functionality if immediate patching is not possible
Patch Information
The vulnerability is fixed in oma version 1.25.2. The fix adds input validation to reject topic names containing control characters, preventing CRLF injection attacks. Users should update using their system's package manager or by obtaining the fixed version from the official release.
For additional details, see the GitHub Security Advisory GHSA-86jc-7r6q-cr3f and Pull Request #733.
Workarounds
- Manually audit and remove any suspicious entries from /etc/apt/sources.list.d/atm.list
- Disable the topics feature temporarily by avoiding use of oma topics commands until patched
- Configure network-level controls to restrict package mirror access to trusted sources only
- Use HTTPS-only mirrors where available to reduce man-in-the-middle attack risk
# Verify current oma version
oma --version
# Check for suspicious entries in APT sources
cat /etc/apt/sources.list.d/atm.list | grep -P '[\\x00-\\x1F\\x7F]'
# Update oma to patched version
oma upgrade oma
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
