Main Vulnerability Database Vulnerabilities #VU125582

Improper Certificate Validation in lxd - CVE-2024-6156

Published: December 2, 2024 / Updated: April 9, 2026

Vulnerability identifier: #VU125582

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-6156

CWE-ID: CWE-295

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Linux Containers

Affected software:
lxd

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper certificate validation in the TLS client certificate authentication logic when handling TLS handshakes in PKI mode. A local user can send a non-CA-signed certificate that is already present in the trust store to disclose sensitive information.

Only systems running in PKI mode are affected, and exploitation requires the certificate to have been present in the trust store before PKI mode was enabled.

How to mitigate CVE-2024-6156

Install security update from vendor's website.

Sources

https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v

Improper Certificate Validation in lxd - CVE-2024-6156

Detailed vulnerability description

How to mitigate CVE-2024-6156

Sources

Please verify you're human