Description
Microsoft Hosted Ubuntu Images affected by CVE-2026-23268 and CVE-2026-23269
Platforms affected
Runner images affected
Image version and build link
Image version : 20260111.209.1
Is it regression?
no
Expected behavior
No CVE present
Actual behavior
Customer reported that their Managed DevOps Pools using the Microsoft-managed image Azure Pipelines - Ubuntu 24.04 are still showing package versions that they believe are affected by CVE-2026-23268 and CVE-2026-23269, and they want both immediate mitigation guidance and a Microsoft ETA for the image fix.
Repro steps
use either affected MDP pool configured with Azure Pipelines - Ubuntu 24.04, run a YAML pipeline with a CmdLine@2 task, and execute the customer’s diagnostic commands to inspect AppArmor state and installed package versions. Example YAML:
- task: CmdLine@2
inputs:
script: |
set -x
cat /sys/module/apparmor/parameters/enabled
dpkg -l 'sudo*' 'util-linux' | grep ^ii
Description
Microsoft Hosted Ubuntu Images affected by CVE-2026-23268 and CVE-2026-23269
Platforms affected
Runner images affected
Image version and build link
Image version : 20260111.209.1
Is it regression?
no
Expected behavior
No CVE present
Actual behavior
Customer reported that their Managed DevOps Pools using the Microsoft-managed image Azure Pipelines - Ubuntu 24.04 are still showing package versions that they believe are affected by CVE-2026-23268 and CVE-2026-23269, and they want both immediate mitigation guidance and a Microsoft ETA for the image fix.
Repro steps
use either affected MDP pool configured with Azure Pipelines - Ubuntu 24.04, run a YAML pipeline with a CmdLine@2 task, and execute the customer’s diagnostic commands to inspect AppArmor state and installed package versions. Example YAML: