CVE-2026-9639

NameCVE-2026-9639
DescriptionNil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6373-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lxd (PTS)bookworm, bookworm (security)5.0.2-5+deb12u6vulnerable
trixie5.0.2+git20231211.1364ae4-9+deb13u6vulnerable
trixie (security)5.0.2+git20231211.1364ae4-9+deb13u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lxdsourcetrixie5.0.2+git20231211.1364ae4-9+deb13u7DSA-6373-1
lxdsource(unstable)(unfixed)

Notes

https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8
https://github.com/canonical/lxd/pull/18320
https://github.com/canonical/lxd/pull/18390
Search for package or bug name: Reporting problems