SB2026040957 - Multiple vulnerabilities in LXD

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040957

SB2026040957 - Multiple vulnerabilities in LXD

Published: April 9, 2026

Security Bulletin ID SB2026040957
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-34177)

The vulnerability allows a remote user to escalate privileges to host root.

The vulnerability exists due to improper access control in isVMLowLevelOptionForbidden in lxd/project/limits/permissions.go when validating VM low-level configuration keys in a restricted project. A remote privileged user can set the raw.apparmor and raw.qemu.conf options on a VM instance to escalate privileges to host root.

Exploitation requires a restricted project with restricted.virtual-machines.lowlevel=block and permission to edit and start a VM instance.


2) Improper access control (CVE-ID: CVE-2026-34178)

The vulnerability allows a remote user to bypass project restrictions and gain full host compromise.

The vulnerability exists due to improper access control in the LXD backup import process when importing a crafted instance backup archive. A remote privileged user can supply inconsistent backup/index.yaml and backup/container/backup.yaml files to bypass project restrictions and gain full host compromise.

Exploitation requires instance creation and operation permissions in a restricted project.


3) Improper access control (CVE-ID: CVE-2026-34179)

The vulnerability allows a remote user to escalate privileges to cluster admin.

The vulnerability exists due to improper access control in the doCertificateUpdate handler for the /1.0/certificates/{fingerprint} endpoint when processing PUT or PATCH requests that update TLS certificate records. A remote privileged user can send a crafted request to change the certificate type from client to server and escalate privileges to cluster admin.

The issue affects deployments using legacy restricted TLS certificates through the /1.0/certificates API, and the privilege change takes effect after the identity cache refresh.


Remediation

Install update from vendor's website.

References