CVE-2026-9640

NameCVE-2026-9640
DescriptionA privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6373-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lxd (PTS)bookworm, bookworm (security)5.0.2-5+deb12u6vulnerable
trixie5.0.2+git20231211.1364ae4-9+deb13u6vulnerable
trixie (security)5.0.2+git20231211.1364ae4-9+deb13u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lxdsourcetrixie5.0.2+git20231211.1364ae4-9+deb13u7DSA-6373-1
lxdsource(unstable)(unfixed)

Notes

https://github.com/canonical/lxd/security/advisories/GHSA-ppq7-4492-5552
https://github.com/canonical/lxd/pull/18301
https://github.com/canonical/lxd/pull/18303
https://github.com/canonical/lxd/pull/18304
Search for package or bug name: Reporting problems