Input validation error in LXD - CVE-2026-48755
Published: June 29, 2026
Vulnerability identifier: #VU135803
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-48755
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Containers
Affected software:
LXD
LXD
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in backup compression algorithm handling when processing backup requests with a user-supplied compression_algorithm value. A remote user can supply a crafted compression algorithm with injected arguments to execute arbitrary code.
The issue can be exploited to achieve an arbitrary file write on the host, which may be leveraged for command execution.
How to mitigate CVE-2026-48755
Install security update from vendor's website.