SB20260629120 - Debian update for lxd
Published: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2026-9639)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in CreateCustomVolumeFromBackup in lxd/storage/backend_lxd.go when importing a crafted custom-volume backup tarball with an omitted volumes[0].snapshots[*].expires_at field. A remote user can upload a specially crafted backup tarball to cause a denial of service.
The issue crashes the entire lxd daemon process while handling a custom storage volume import request.
2) Improper access control (CVE-ID: CVE-2026-9640)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges to arbitrary host root.
The vulnerability exists due to improper access control in the instance-backup import and snapshot-restore handlers when importing a tampered backup and restoring a snapshot. A remote privileged user can upload a crafted instance backup containing restricted snapshot configuration and restore the malicious snapshot to escalate privileges to arbitrary host root.
Exploitation requires a hardened multi-tenant project with restricted=true and restricted.containers.lowlevel=block, and the ability to create instances and edit the target project.
3) Link following (CVE-ID: CVE-2026-48749)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to read and write arbitrary files on the host.
The vulnerability exists due to improper link resolution in image extraction and the stopped-container file API when processing a specially crafted image containing a duplicate top-level rootfs symlink. A remote user can import a crafted image and access container files to read and write arbitrary files on the host.
This issue can expose host files with root privileges and may lead to arbitrary command execution.
4) Link following (CVE-ID: CVE-2026-48750)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the host.
The vulnerability exists due to improper link resolution in the /instances/$name/exec endpoint exec-output handling when processing the record-output parameter for a crafted image. A remote user can create an instance from a crafted image and invoke exec with record-output enabled to execute arbitrary code on the host.
The issue arises because a top-level exec-output symlink from the image can be extracted as is, causing stdout and stderr files to be written to an arbitrary host location.
5) Improper access control (CVE-ID: CVE-2026-48751)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary commands on the host.
The vulnerability exists due to improper access control in instance snapshot restoration when restoring snapshots in a restricted project. A remote user can move a crafted instance snapshot into a restricted project and restore it to execute arbitrary commands on the host.
The issue bypasses the restricted.containers.lowlevel=block restriction because snapshots ignore that setting, and exploitation can abuse low-level hooks such as raw.lxc or raw.qemu.
6) Input validation error (CVE-ID: CVE-2026-48752)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to read and write arbitrary files on the host.
The vulnerability exists due to improper input validation in the image tar extraction logic when processing a specially crafted container image containing a top-level templates symlink. A remote user can import a specially crafted image to read and write arbitrary files on the host.
This issue may also lead to arbitrary command execution on the host.
7) Input validation error (CVE-ID: CVE-2026-48755)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in backup compression algorithm handling when processing backup requests with a user-supplied compression_algorithm value. A remote user can supply a crafted compression algorithm with injected arguments to execute arbitrary code.
The issue can be exploited to achieve an arbitrary file write on the host, which may be leveraged for command execution.
8) Path traversal (CVE-ID: CVE-2026-48769)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in image download handling for source.type=url when processing a crafted Incus-Image-Hash header from an image server. A remote user can return a crafted header value to write arbitrary files and execute arbitrary code.
The file is created and populated before SHA-256 validation occurs, and a slow or held response can extend the arbitrary-write window.
9) Improper access control (CVE-ID: CVE-2026-55621)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the custom volume copy path when handling storage volume copy requests across projects. A remote user can send a specially crafted request with an attacker-controlled source project to disclose sensitive information.
Exploitation requires knowledge of the source project name and the custom volume name, and the copy must occur on the same server.
10) Improper access control (CVE-ID: CVE-2026-55622)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in instance copy handling in POST /1.0/instances when copying an instance across projects. A remote user can send a crafted instance copy request referencing a source project and instance they are not authorized to view to disclose sensitive information.
Exploitation requires knowledge of the source project name and source instance name, and the copy occurs on the same server.
Remediation
Install update from vendor's website.