Link following in LXD - CVE-2026-48749
Published: June 29, 2026
Vulnerability identifier: #VU135802
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-48749
CWE-ID: CWE-59
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Containers
Affected software:
LXD
LXD
Detailed vulnerability description
The vulnerability allows a remote user to read and write arbitrary files on the host.
The vulnerability exists due to improper link resolution in image extraction and the stopped-container file API when processing a specially crafted image containing a duplicate top-level rootfs symlink. A remote user can import a crafted image and access container files to read and write arbitrary files on the host.
This issue can expose host files with root privileges and may lead to arbitrary command execution.
How to mitigate CVE-2026-48749
Install security update from vendor's website.