Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-39958 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-39958 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-39958 is a metadata integrity vulnerability in oma, the package manager for AOSC OS, specifically affecting the oma-topics component responsible for fetching Topic Manifest metadata from remote mirrors.

Technical Detail

The flaw exists in how oma-topics retrieves and processes the Topic Manifests file ({mirror}/debs/manifest/topics.json) from configured mirror sources prior to version 1.25.2. Based on the truncated description, the component likely fails to adequately validate the integrity or authenticity of the fetched manifest, which could allow a network-positioned attacker or a compromised mirror to supply a malicious manifest and influence package resolution or installation behavior. The practical impact could include delivery of tampered packages, enabling arbitrary code execution in the context of the package manager, which typically runs with elevated privileges during system updates.

Exploitation Status

No known exploit exists for this vulnerability at this time. The exploit maturity is rated at zero, indicating no public proof-of-concept or observed exploitation has been confirmed. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of April 16, 2026.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence. Given the niche user base of AOSC OS, opportunistic targeting is considered low probability, though supply chain or mirror compromise scenarios remain theoretically relevant.

What To Do

Administrators and users running oma on AOSC OS should upgrade to version 1.25.2 or later, which contains the fix for this vulnerability. Given the CVSS score of 9.1, patching should be treated as high priority even in the absence of known active exploitation. Until patching is complete, operators should ensure that only trusted, verified mirrors are configured and monitor for unexpected changes to package selections or repository metadata. No formal workaround has been confirmed as a substitute for the patch.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →