CVE-2026-11837

NameCVE-2026-11837
DescriptionA local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139917

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)bullseye2.10.7+merged+base+2.10.17+dfsg-0+deb11u1vulnerable
bullseye (security)2.10.7+merged+base+2.10.17+dfsg-0+deb11u4vulnerable
bookworm7.7.0+dfsg-3+deb12u1vulnerable
trixie12.0.0+dfsg-0+deb13u1vulnerable
forky, sid14.0.0+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesource(unstable)(unfixed)1139917

Notes

[trixie] - ansible <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2487424
https://github.com/ansible-collections/ansible.posix/issues/759
https://github.com/ansible-collections/ansible.posix/pull/760
Fixed by: https://github.com/ansible-collections/ansible.posix/commit/18f2f69c53ffe8014a3047ac8c523ae6671be63e

Search for package or bug name: Reporting problems