SB2025112625 - Multiple vulnerabilities in LXD
Published: November 26, 2025 Updated: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-64507)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper privilege management when using custom storage volumes. Any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the "security.shifted" property set to "true" as well as access to the host as an unprivileged user can escalate their privileges to root.
2) Link following (CVE-ID: CVE-2026-48750)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the host.
The vulnerability exists due to improper link resolution in the /instances/$name/exec endpoint exec-output handling when processing the record-output parameter for a crafted image. A remote user can create an instance from a crafted image and invoke exec with record-output enabled to execute arbitrary code on the host.
The issue arises because a top-level exec-output symlink from the image can be extracted as is, causing stdout and stderr files to be written to an arbitrary host location.
3) Input validation error (CVE-ID: CVE-2026-48752)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to read and write arbitrary files on the host.
The vulnerability exists due to improper input validation in the image tar extraction logic when processing a specially crafted container image containing a top-level templates symlink. A remote user can import a specially crafted image to read and write arbitrary files on the host.
This issue may also lead to arbitrary command execution on the host.
4) Link following (CVE-ID: CVE-2026-48749)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to read and write arbitrary files on the host.
The vulnerability exists due to improper link resolution in image extraction and the stopped-container file API when processing a specially crafted image containing a duplicate top-level rootfs symlink. A remote user can import a crafted image and access container files to read and write arbitrary files on the host.
This issue can expose host files with root privileges and may lead to arbitrary command execution.
5) Input validation error (CVE-ID: CVE-2026-48755)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in backup compression algorithm handling when processing backup requests with a user-supplied compression_algorithm value. A remote user can supply a crafted compression algorithm with injected arguments to execute arbitrary code.
The issue can be exploited to achieve an arbitrary file write on the host, which may be leveraged for command execution.
6) Path traversal (CVE-ID: CVE-2026-48769)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in image download handling for source.type=url when processing a crafted Incus-Image-Hash header from an image server. A remote user can return a crafted header value to write arbitrary files and execute arbitrary code.
The file is created and populated before SHA-256 validation occurs, and a slow or held response can extend the arbitrary-write window.
Remediation
Install update from vendor's website.
References
- https://github.com/canonical/lxd/security/advisories/GHSA-3g2j-vm47-x4mj
- https://github.com/canonical/lxd/security/advisories/GHSA-9j25-mm2h-2f76
- https://github.com/lxc/incus/security/advisories/GHSA-48q5-w887-33wv
- https://github.com/canonical/lxd/security/advisories/GHSA-jpf8-86f3-wp38
- https://github.com/lxc/incus/security/advisories/GHSA-vxp5-584q-c479
- https://github.com/canonical/lxd/security/advisories/GHSA-vghh-5rfx-xhq8
- https://github.com/lxc/incus/security/advisories/GHSA-2q3f-q5pq-g8wv
- https://github.com/canonical/lxd/security/advisories/GHSA-fmc8-p6q7-75cc
- https://github.com/lxc/incus/security/advisories/GHSA-v6mj-8pf4-hhw4
- https://github.com/canonical/lxd/security/advisories/GHSA-pjff-c2wc-f6jm
- https://github.com/lxc/incus/security/advisories/GHSA-f6m5-xw2g-xc4x