Critical RCE Vulnerability in Ubuntu 24.04 LTS Wheel Package
Severity: High (Score: 72.8)
Sources: Linuxsecurity, Ubuntu
Summary
A critical vulnerability (CVE-2026-24049) has been identified in the 'wheel' command-line tool used in Ubuntu 24.04 LTS and its derivatives. This flaw allows attackers to execute arbitrary code by tricking users or automated systems into opening specially crafted files. The vulnerability arises from improper handling of certain file paths within the 'wheel' package. Users of Ubuntu 24.04 LTS are urged to update their systems to the patched versions of the affected packages. The issue was publicly disclosed on January 22, 2026, with a proof of concept released shortly after on February 5, 2026. The vulnerability poses a significant risk as it can lead to unauthorized code execution under the user's login context. Affected package versions include python-wheel-common, python3-wheel, and python3-wheel-whl, all of which have updates available through Ubuntu Pro. A standard system update is recommended to mitigate this risk. Key Points: • CVE-2026-24049 allows arbitrary code execution via crafted wheel files. • Affected systems include Ubuntu 24.04 LTS and its derivatives. • Users should update to patched versions of the wheel package immediately.
Key Entities
- Zero-day Exploit (attack_type)
- CVE-2026-24049 (cve)
- CWE-22 - Path Traversal (cwe)
- CWE-94 - Code Injection (cwe)
- Ubuntu (company)
- Wheel Vulnerability (vulnerability)