Skip to main content

Ubuntu CVE-2025-54290

| EUVDEUVD-2025-32639 MEDIUM
Information Exposure (CWE-200)
2025-10-02 security@ubuntu.com GHSA-p3x5-mvmp-5f35
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:12 euvd
EUVD-2025-32639
Analysis Generated
Mar 13, 2026 - 19:12 vuln.today
PoC Detected
Oct 24, 2025 - 14:20 vuln.today
Public exploit code
CVE Published
Oct 02, 2025 - 10:15 nvd
MEDIUM 5.3

DescriptionCVE.org

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

Analysis

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

RemediationAI

Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

More in Lxd

View all
CVE-2025-54286 HIGH POC
8.8 Oct 02

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and s

CVE-2025-54289 HIGH POC
8.1 Oct 02

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions

CVE-2025-54288 MEDIUM POC
6.8 Oct 02

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attack

CVE-2025-54293 MEDIUM POC
6.5 Oct 02

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attacker

CVE-2025-54287 MEDIUM POC
6.5 Oct 02

A arbitrary file access vulnerability (CVSS 6.5) that allows an attacker with instance configuration permissions. Risk

CVE-2026-12411 CRITICAL
9.6 Jun 26

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and

CVE-2025-54291 MEDIUM POC
5.3 Oct 02

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remo

CVE-2025-54292 MEDIUM POC
4.6 Oct 02

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attac

CVE-2026-3351 MEDIUM POC
4.3 Mar 03

Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authen

CVE-2024-6219 LOW POC
3.8 Dec 06

Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust

CVE-2024-6156 LOW POC
3.8 Dec 06

Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was prese

CVE-2026-9640 HIGH
7.2 Jun 26

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project

Vendor StatusVendor

Ubuntu

Priority: Medium
lxd
Release Status Version
jammy DNE -
noble DNE -
plucky DNE -
upstream needs-triage -
bionic not-affected see notes
focal not-affected installs LXD snap
xenial not-affected see notes
questing DNE -

Debian

incus
Release Status Fixed Version Urgency
trixie fixed 6.0.4-2+deb13u1 -
trixie (security) fixed 6.0.4-2+deb13u4 -
forky, sid fixed 6.0.5-8 -
(unstable) fixed 6.0.5-1 -
lxd
Release Status Fixed Version Urgency
bookworm vulnerable 5.0.2-5+deb12u2 -
bookworm (security) vulnerable 5.0.2-5+deb12u3 -
trixie vulnerable 5.0.2+git20231211.1364ae4-9+deb13u2 -
trixie (security) vulnerable 5.0.2+git20231211.1364ae4-9+deb13u3 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2025-54290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy