CVE-2026-10037

Canonical · Ubuntu

A sandbox escape vulnerability in Ubuntu's OpenJDK packages allows arbitrary code execution outside the sandbox when the mailcap package is installed.

Executive summary

A high-severity sandbox escape vulnerability exists in Canonical Ubuntu OpenJDK packages that allows local attackers to execute arbitrary code outside of the intended sandbox environment.

Vulnerability

This vulnerability occurs because .jar MIME handlers execute files marked as executable when the mailcap package is present. This flaw allows a compromised application running within a sandbox to bypass security controls and execute arbitrary code on the underlying host system.

Business impact

With a CVSS score of 8.8, this vulnerability poses a significant risk to system integrity and confidentiality. Successful exploitation permits an attacker to escape containerized or sandboxed environments, potentially leading to full system compromise, unauthorized data access, and lateral movement within the network.

Remediation

Immediate Action: Update the mailcap package to the patched versions: 3.75ubuntu1.1, 3.74ubuntu1.1, 3.70+nmu1ubuntu1.24.04.1, or 3.70+nmu1ubuntu1.22.04.1 depending on your Ubuntu release.

Proactive Monitoring: Review system access logs for anomalous process execution patterns originating from sandboxed Java applications.

Compensating Controls: If patching is delayed, restrict the use of MIME handlers for .jar files and limit the execution permissions of untrusted applications within the environment.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this sandbox escape necessitates immediate action. Administrators should prioritize the deployment of the specified mailcap security updates across all affected Ubuntu instances to prevent potential host-level compromise.