Main Vulnerability Database Vulnerabilities #VU125584

OS Command Injection in lxd - CVE-2026-28384

Published: April 9, 2026

Vulnerability identifier: #VU125584

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-28384

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Linux Containers

Affected software:
lxd

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the host.

The vulnerability exists due to improper neutralization of special elements used in an os command in the compressFile function and related image and backup API handlers when processing a user-supplied compression_algorithm value. A remote user can send a specially crafted API request to execute arbitrary code on the host.

Exploitation requires image creation or backup management permissions, and code execution occurs in the LXD daemon context, typically as root.

How to mitigate CVE-2026-28384

Install security update from vendor's website.

Sources

https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g

OS Command Injection in lxd - CVE-2026-28384

Detailed vulnerability description

How to mitigate CVE-2026-28384

Sources

Please verify you're human