Main Vulnerability Database Vulnerabilities #VU125582

#VU125582 Improper Certificate Validation in lxd - CVE-2024-6156

Published: December 2, 2024 / Updated: April 9, 2026

Vulnerability identifier: #VU125582

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-6156

CWE-ID: CWE-295

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
lxd

Software vendor:
Linux Containers

Description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper certificate validation in the TLS client certificate authentication logic when handling TLS handshakes in PKI mode. A local user can send a non-CA-signed certificate that is already present in the trust store to disclose sensitive information.

Only systems running in PKI mode are affected, and exploitation requires the certificate to have been present in the trust store before PKI mode was enabled.

Remediation

Install security update from vendor's website.

External links

https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v

#VU125582 Improper Certificate Validation in lxd - CVE-2024-6156

Description

Remediation

External links

Please verify you're human