Microsoft Hosted Ubuntu Images affected by CVE-2026-23268 and CVE-2026-23269

[kripa-2019]

Description

Microsoft Hosted Ubuntu Images affected by CVE-2026-23268 and CVE-2026-23269

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 22.04
• Ubuntu 24.04
• Ubuntu Slim
• macOS 14
• macOS 14 Arm64
• macOS 15
• macOS 15 Arm64
• macOS 26
• macOS 26 Arm64
• Windows Server 2022
• Windows Server 2025
• Windows Server 2025 with Visual Studio 2026

Image version and build link

Image version : 20260111.209.1

Is it regression?

no

Expected behavior

No CVE present

Actual behavior

Customer reported that their Managed DevOps Pools using the Microsoft-managed image Azure Pipelines - Ubuntu 24.04 are still showing package versions that they believe are affected by CVE-2026-23268 and CVE-2026-23269, and they want both immediate mitigation guidance and a Microsoft ETA for the image fix.

Repro steps

use either affected MDP pool configured with Azure Pipelines - Ubuntu 24.04, run a YAML pipeline with a CmdLine@2 task, and execute the customer’s diagnostic commands to inspect AppArmor state and installed package versions. Example YAML:

- task: CmdLine@2
  inputs:
    script: |
      set -x
      cat /sys/module/apparmor/parameters/enabled
      dpkg -l 'sudo*' 'util-linux' | grep ^ii

[v-GeorgyPuzakov]

Hi @kripa-2019,
We will have a look and will back to you