Main Vulnerability Database Vulnerabilities #VU125584

#VU125584 OS Command Injection in lxd - CVE-2026-28384

Published: April 9, 2026

Vulnerability identifier: #VU125584

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-28384

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
lxd

Software vendor:
Linux Containers

Description

The vulnerability allows a remote user to execute arbitrary code on the host.

The vulnerability exists due to improper neutralization of special elements used in an os command in the compressFile function and related image and backup API handlers when processing a user-supplied compression_algorithm value. A remote user can send a specially crafted API request to execute arbitrary code on the host.

Exploitation requires image creation or backup management permissions, and code execution occurs in the LXD daemon context, typically as root.

Remediation

Install security update from vendor's website.

External links

https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g

#VU125584 OS Command Injection in lxd - CVE-2026-28384

Description

Remediation

External links

Please verify you're human