Is Lxd affected by CVE-2026-34178?

Canonical LXD versions prior to 6.8 contain a critical privilege escalation vulnerability in backup import functionality that allows authenticated users to bypass project security restrictions and gain full host compromise through maliciously crafted backup archives.

CVE-2026-34178

EUVD-2026-20874 CRITICAL

2026-04-09 canonical

GHSA-q96j-3fmm-7fv4

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 09, 2026 - 09:30 vuln.today

EUVD ID Assigned

Apr 09, 2026 - 09:30 euvd

EUVD-2026-20874

Patch Released

Apr 09, 2026 - 09:30 nvd

Patch available

CVE Published

Apr 09, 2026 - 09:18 nvd

CRITICAL 9.1

Description

In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.

Analysis

Backup import in Canonical LXD before 6.8 bypasses project security restrictions, enabling privilege escalation to full host compromise. An authenticated remote attacker with instance-creation permission in a restricted project crafts malicious backup archives containing conflicting configuration files: backup/index.yaml passes validation, while backup/container/backup.yaml (never validated) carries forbidden directives like security.privileged=true or raw.lxc commands. …

Remediation

Within 24 hours: Identify all LXD deployments running versions before 6.8 and restrict backup import operations to trusted sources only; document current version inventory. Within 7 days: Upgrade all LXD instances to version 6.8 or later per Canonical's security advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

CVE-2026-34178 vulnerability details – vuln.today

Back

CVE-2026-34178

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34178

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code