Ubuntu USN · USN-8256-1

opam vulnerability

Published: Thu, 07 May 2026 15:21

CVE-2026-41082

Summary

opam could be made to install files in unintended locations if it installed a specially crafted package.

Details

Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An attacker could use this issue to bypass sandbox protections and write files to arbitrary locations, possibly leading to arbitrary code execution.

Recommended actions per Ubuntu release

StackPatch playbook auto-generated per release codename and per affected package.

Ubuntu focal

opam→2.0.5-1ubuntu1+esm1apt_upgrade
Standard apt upgrade. Install 2.0.5-1ubuntu1+esm1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam→2.0.5-1ubuntu1+esm1apt_upgrade
Standard apt upgrade. Install 2.0.5-1ubuntu1+esm1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam-doc→2.0.5-1ubuntu1+esm1apt_upgrade
Standard apt upgrade. Install 2.0.5-1ubuntu1+esm1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-doc
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam-installer→2.0.5-1ubuntu1+esm1apt_upgrade
Standard apt upgrade. Install 2.0.5-1ubuntu1+esm1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-installer
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu jammy

opam→2.1.2-1+deb12u1build0.22.04.1apt_upgrade
Standard apt upgrade. Install 2.1.2-1+deb12u1build0.22.04.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam→2.1.2-1+deb12u1build0.22.04.1apt_upgrade
Standard apt upgrade. Install 2.1.2-1+deb12u1build0.22.04.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam-doc→2.1.2-1+deb12u1build0.22.04.1apt_upgrade
Standard apt upgrade. Install 2.1.2-1+deb12u1build0.22.04.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-doc
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam-installer→2.1.2-1+deb12u1build0.22.04.1apt_upgrade
Standard apt upgrade. Install 2.1.2-1+deb12u1build0.22.04.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-installer
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu noble

opam→2.1.5-1ubuntu0.1~esm2apt_upgrade_esm
Fixed at 2.1.5-1ubuntu0.1~esm2 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y opam=2.1.5-1ubuntu0.1~esm2
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
opam→2.1.5-1ubuntu0.1~esm2apt_upgrade_esm
Fixed at 2.1.5-1ubuntu0.1~esm2 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y opam=2.1.5-1ubuntu0.1~esm2
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
opam-doc→2.1.5-1ubuntu0.1~esm2apt_upgrade_esm
Fixed at 2.1.5-1ubuntu0.1~esm2 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-doc=2.1.5-1ubuntu0.1~esm2
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
opam-installer→2.1.5-1ubuntu0.1~esm2apt_upgrade_esm
Fixed at 2.1.5-1ubuntu0.1~esm2 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-installer=2.1.5-1ubuntu0.1~esm2
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.

Ubuntu questing

opam→2.3.0-1+deb13u1build0.25.10.1apt_upgrade
Standard apt upgrade. Install 2.3.0-1+deb13u1build0.25.10.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam→2.3.0-1+deb13u1build0.25.10.1apt_upgrade
Standard apt upgrade. Install 2.3.0-1+deb13u1build0.25.10.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam-doc→2.3.0-1+deb13u1build0.25.10.1apt_upgrade
Standard apt upgrade. Install 2.3.0-1+deb13u1build0.25.10.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-doc
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
opam-installer→2.3.0-1+deb13u1build0.25.10.1apt_upgrade
Standard apt upgrade. Install 2.3.0-1+deb13u1build0.25.10.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-installer
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu resolute

opam→2.5.0-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 2.5.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y opam=2.5.0-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
opam→2.5.0-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 2.5.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y opam=2.5.0-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
opam-doc→2.5.0-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 2.5.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-doc=2.5.0-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
opam-installer→2.5.0-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 2.5.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y opam-installer=2.5.0-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.

Are YOU affected by USN-8256-1?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8256-1 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash

Form-based quickscan Read the bash source first

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.

Buy lifetime →See StackPatch →Live audit log →