SB2026040957 - Multiple vulnerabilities in LXD
Published: April 9, 2026 Updated: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-34177)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges to host root.
The vulnerability exists due to improper access control in isVMLowLevelOptionForbidden in lxd/project/limits/permissions.go when validating VM low-level configuration keys in a restricted project. A remote privileged user can set the raw.apparmor and raw.qemu.conf options on a VM instance to escalate privileges to host root.
Exploitation requires a restricted project with restricted.virtual-machines.lowlevel=block and permission to edit and start a VM instance.
2) Improper access control (CVE-ID: CVE-2026-34178)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass project restrictions and gain full host compromise.
The vulnerability exists due to improper access control in the LXD backup import process when importing a crafted instance backup archive. A remote privileged user can supply inconsistent backup/index.yaml and backup/container/backup.yaml files to bypass project restrictions and gain full host compromise.
Exploitation requires instance creation and operation permissions in a restricted project.
3) Improper access control (CVE-ID: CVE-2026-34179)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges to cluster admin.
The vulnerability exists due to improper access control in the doCertificateUpdate handler for the /1.0/certificates/{fingerprint} endpoint when processing PUT or PATCH requests that update TLS certificate records. A remote privileged user can send a crafted request to change the certificate type from client to server and escalate privileges to cluster admin.
The issue affects deployments using legacy restricted TLS certificates through the /1.0/certificates API, and the privilege change takes effect after the identity cache refresh.
4) Improper access control (CVE-ID: CVE-2026-55622)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in instance copy handling in POST /1.0/instances when copying an instance across projects. A remote user can send a crafted instance copy request referencing a source project and instance they are not authorized to view to disclose sensitive information.
Exploitation requires knowledge of the source project name and source instance name, and the copy occurs on the same server.
5) Improper access control (CVE-ID: CVE-2026-55621)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the custom volume copy path when handling storage volume copy requests across projects. A remote user can send a specially crafted request with an attacker-controlled source project to disclose sensitive information.
Exploitation requires knowledge of the source project name and the custom volume name, and the copy must occur on the same server.
6) Improper access control (CVE-ID: CVE-2026-48751)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary commands on the host.
The vulnerability exists due to improper access control in instance snapshot restoration when restoring snapshots in a restricted project. A remote user can move a crafted instance snapshot into a restricted project and restore it to execute arbitrary commands on the host.
The issue bypasses the restricted.containers.lowlevel=block restriction because snapshots ignore that setting, and exploitation can abuse low-level hooks such as raw.lxc or raw.qemu.
7) NULL pointer dereference (CVE-ID: CVE-2026-9639)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in CreateCustomVolumeFromBackup in lxd/storage/backend_lxd.go when importing a crafted custom-volume backup tarball with an omitted volumes[0].snapshots[*].expires_at field. A remote user can upload a specially crafted backup tarball to cause a denial of service.
The issue crashes the entire lxd daemon process while handling a custom storage volume import request.
8) Improper access control (CVE-ID: CVE-2026-9640)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges to arbitrary host root.
The vulnerability exists due to improper access control in the instance-backup import and snapshot-restore handlers when importing a tampered backup and restoring a snapshot. A remote privileged user can upload a crafted instance backup containing restricted snapshot configuration and restore the malicious snapshot to escalate privileges to arbitrary host root.
Exploitation requires a hardened multi-tenant project with restricted=true and restricted.containers.lowlevel=block, and the ability to create instances and edit the target project.
Remediation
Install update from vendor's website.
References
- https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f
- https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4
- https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5
- https://github.com/canonical/lxd/security/advisories/GHSA-qx75-2p3r-pwm5
- https://github.com/lxc/incus/security/advisories/GHSA-c9f5-j9c3-mhrg
- https://github.com/canonical/lxd/security/advisories/GHSA-7mr3-28h5-m5vx
- https://github.com/lxc/incus/security/advisories/GHSA-64f3-v33m-w89f
- https://github.com/canonical/lxd/security/advisories/GHSA-47w9-6r3f-938g
- https://github.com/lxc/incus/security/advisories/GHSA-48q5-w887-33wv
- https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8
- https://github.com/canonical/lxd/blob/05bc272/lxd/storage/backend_lxd.go
- https://github.com/canonical/lxd/security/advisories/GHSA-ppq7-4492-5552