CVE-2026-39958
Received Received - Intake
Metadata Injection Vulnerability in oma-topics Allows Malicious APT Sources

Publication date: 2026-04-09

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39958
EUVD
EUVD-2026-20962
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aosc-dev oma to 1.25.2 (inc)
aosc-dev oma-topics to 1.25.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-39958 affects the oma package manager, specifically the oma-topics component responsible for fetching metadata called Topic Manifests from remote repository servers.

The issue arises because the 'name' field in the Topic Manifests was not properly checked for control characters such as newline characters. This allowed maliciously crafted topic names containing control characters to be injected into the system's APT source list file (/etc/apt/sources.list.d/atm.list).

An attacker could exploit this by supplying a malformed Topic Manifest that causes unauthorized Debian package sources to be added to the system's package manager configuration, potentially leading to the installation of untrusted or malicious packages.

The vulnerability was fixed in version 1.25.2 by adding validation to reject any topic names containing control characters, preventing such malicious entries from being processed.

Impact Analysis

This vulnerability can impact you by allowing an attacker to inject arbitrary and potentially malicious Debian package sources into your system's package manager configuration.

As a result, your system could unknowingly download and install untrusted or harmful software packages, compromising system integrity, security, and stability.

Such unauthorized package sources could lead to malware infections, data breaches, or other security incidents depending on the nature of the malicious packages introduced.

Detection Guidance

This vulnerability involves maliciously crafted topic names containing control characters being injected into the /etc/apt/sources.list.d/atm.list file. To detect if your system is affected, you can inspect the atm.list file for suspicious or malformed entries that may contain control characters or unexpected Debian package sources.

A practical detection method is to check the contents of the atm.list file for control characters or unusual entries. For example, you can use the following command to detect non-printable or control characters in the file:

  • grep -P '[\x00-\x1F\x7F]' /etc/apt/sources.list.d/atm.list

Alternatively, you can review the topic manifests fetched by oma-topics, especially the topics.json file from the remote repository, to see if any topic names contain control characters or suspicious content.

Since the vulnerability is related to the oma-topics component processing topic names, monitoring logs or error messages from oma-topics for entries about illegal topic entries containing control characters can also help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade the oma package to version 1.25.2 or later, where the vulnerability has been fixed by rejecting topic names containing control characters.

Until you can upgrade, you should manually inspect and clean the /etc/apt/sources.list.d/atm.list file to remove any suspicious or malformed entries that may have been injected.

Additionally, avoid using untrusted or unofficial topic manifests or repositories that could supply malicious topic names.

Monitoring oma-topics logs for errors related to illegal topic entries can help identify attempts to exploit this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart