CVE-2026-0848
Publication date 5 March 2026
Last updated 27 May 2026
Ubuntu priority
Description
NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nltk | 26.04 LTS resolute |
Fixed 3.9.2-1ubuntu0.1~esm2
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Fixed 3.8.1-1ubuntu0.1~esm2
|
|
| 22.04 LTS jammy |
Fixed 3.7-1ubuntu0.1~esm2
|
|
| 20.04 LTS focal |
Fixed 3.4.5-2ubuntu0.1~esm4
|
|
| 18.04 LTS bionic |
Fixed 3.2.5-1ubuntu0.1+esm4
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needed | |
| 14.04 LTS trusty |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
10.0 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-8302-1
- NLTK vulnerabilities
- 25 May 2026