CVE-2026-28384

NameCVE-2026-28384
DescriptionAn improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6184-1, DSA-6188-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie6.0.4-2+deb13u4vulnerable
trixie (security)6.0.4-2+deb13u5fixed
forky, sid6.0.6-2fixed
lxd (PTS)bookworm5.0.2-5+deb12u2vulnerable
bookworm (security)5.0.2-5+deb12u4fixed
trixie5.0.2+git20231211.1364ae4-9+deb13u3vulnerable
trixie (security)5.0.2+git20231211.1364ae4-9+deb13u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussourcetrixie6.0.4-2+deb13u5DSA-6184-1
incussource(unstable)6.0.6-1
lxdsourcebookworm5.0.2-5+deb12u4DSA-6188-1
lxdsourcetrixie5.0.2+git20231211.1364ae4-9+deb13u4DSA-6188-1
lxdsource(unstable)(unfixed)

Notes

https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g
https://github.com/canonical/lxd/pull/17820
https://github.com/lxc/incus/pull/2972
Search for package or bug name: Reporting problems