Skip to main content

Canonical LXD CVE-2026-12411

| EUVDEUVD-2026-39788 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 canonical
9.6
CVSS 3.1 · NVD
Share

Severity by source

Vendor (canonical) PRIMARY
HIGH
qualitative
NVD
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.4 HIGH

Attack originates inside a guest via the local /dev/lxd socket (AV:L) and needs an existing guest foothold plus the non-default volumes setting (PR:L); reaching another guest's volume is a scope change (S:C).

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (canonical).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jul 02, 2026 - 15:00 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 15:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 14:52 vuln.today
cvss_changed
Severity Changed
Jul 02, 2026 - 14:52 NVD
HIGH CRITICAL
CVSS changed
Jul 02, 2026 - 14:52 NVD
8.4 (HIGH) 9.6 (CRITICAL)
Source Code Evidence Fetched
Jun 26, 2026 - 16:16 vuln.today
Analysis Generated
Jun 26, 2026 - 16:16 vuln.today

DescriptionNVD

Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.

AnalysisAI

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and overwrite the custom storage volumes owned by other guests on the same host, breaking tenant isolation. Exploitation requires the non-default security.devlxd.management.volumes option to be enabled, and is fixed in LXD 6.9. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of a guest instance on shared host
Delivery
Open local /dev/lxd management socket
Exploit
Send crafted device PATCH naming victim's volume
Execution
Handler skips ownership check, mounts foreign volume
Impact
Read and overwrite another guest's storage data

Vulnerability AssessmentAI

Exploitation The host must have security.devlxd.management.volumes explicitly enabled - this is a non-default configuration setting and is the single most important prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and must be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls one guest instance on a shared LXD host (for example a low-trust tenant container) crafts a device PATCH request to /dev/lxd referencing another tenant's custom storage volume identifier. Because the handler does not check ownership, the volume is mounted into the attacker's guest, allowing it to read confidential data and overwrite the victim's data. …
Remediation Upgrade to Canonical LXD 6.9, which contains the fix (Vendor-released patch: LXD 6.9), delivered via pull request https://github.com/canonical/lxd/pull/18585 and documented in advisory https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all LXD deployments to identify instances with security.devlxd.management.volumes enabled; disable immediately if not operationally required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Lxd

View all
CVE-2025-54286 HIGH POC
8.8 Oct 02

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and s

CVE-2025-54289 HIGH POC
8.1 Oct 02

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions

CVE-2025-54288 MEDIUM POC
6.8 Oct 02

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attack

CVE-2025-54293 MEDIUM POC
6.5 Oct 02

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attacker

CVE-2025-54287 MEDIUM POC
6.5 Oct 02

A arbitrary file access vulnerability (CVSS 6.5) that allows an attacker with instance configuration permissions. Risk

CVE-2025-54290 MEDIUM POC
5.3 Oct 02

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to d

CVE-2025-54291 MEDIUM POC
5.3 Oct 02

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remo

CVE-2025-54292 MEDIUM POC
4.6 Oct 02

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attac

CVE-2026-3351 MEDIUM POC
4.3 Mar 03

Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authen

CVE-2026-9640 HIGH
7.2 Jun 26

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project

CVE-2026-9639 MEDIUM
6.5 Jun 26

Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_stor

CVE-2026-28385 MEDIUM
5.0 Jun 26

Server-Side Request Forgery in Canonical LXD's image import endpoint allows authenticated users holding the can_create_i

Share

CVE-2026-12411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy