CVE-2026-28384

NameCVE-2026-28384
DescriptionAn improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6184-1, DSA-6188-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie (security), trixie6.0.4-2+deb13u8fixed
forky7.0.0-5fixed
sid7.0.1-1fixed
lxd (PTS)bookworm, bookworm (security)5.0.2-5+deb12u6vulnerable
trixie (security), trixie5.0.2+git20231211.1364ae4-9+deb13u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussourcetrixie6.0.4-2+deb13u5DSA-6184-1
incussource(unstable)6.0.6-1
lxdsourcebookworm(unfixed)end-of-life
lxdsourcetrixie5.0.2+git20231211.1364ae4-9+deb13u4DSA-6188-1
lxdsource(unstable)(unfixed)

Notes

[bookworm] - lxd <end-of-life> (EOL in bookworm LTS)
https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g
https://github.com/canonical/lxd/pull/17820
https://github.com/lxc/incus/pull/2972

Search for package or bug name: Reporting problems