Skip to main content

LXD CVE-2026-9639

| EUVDEUVD-2026-39789 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-26 canonical
6.5
CVSS 3.1 · Vendor: canonical
Share

Severity by source

Vendor (canonical) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-accessible LXD API, low complexity; PR:L because can_create_storage_volumes is required; crash yields A:H with no data exposure.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (canonical).

CVSS VectorVendor: canonical

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 26, 2026 - 16:21 vuln.today
Analysis Generated
Jun 26, 2026 - 16:21 vuln.today
CVE Published
Jun 26, 2026 - 15:39 cve.org
MEDIUM 6.5

DescriptionCVE.org

Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.

AnalysisAI

Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_storage_volumes permissions to crash the LXD daemon via a crafted backup tarball, affecting all containers running on the host. Versions up to 6.8 (current branch) and 5.21 (LTS branch) on Linux are vulnerable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain LXD account with can_create_storage_volumes
Delivery
Craft backup tarball omitting snapshot expires_at field
Exploit
Submit tarball to LXD REST API restore endpoint
Execution
Trigger nil-pointer dereference in CreateCustomVolumeFromBackup
Persist
LXD daemon crashes
Impact
Denial of service disrupts all hosted containers

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated LXD user account that has been explicitly granted the can_create_storage_volumes permission within LXD's authorization model. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H reflects a network-reachable, low-complexity attack requiring only low-privilege authenticated access, with high availability impact and no confidentiality or integrity exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated LXD user holding the can_create_storage_volumes permission constructs a backup tarball containing a snapshot entry with the expires_at field omitted. The user submits this tarball to the LXD REST API endpoint for custom volume restoration, triggering the nil-pointer dereference in CreateCustomVolumeFromBackup. …
Remediation Upstream fix commits are available in Canonical's GitHub repository via pull requests #18320 (https://github.com/canonical/lxd/pull/18320) and #18390 (https://github.com/canonical/lxd/pull/18390). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Lxd

View all
CVE-2025-54286 HIGH POC
8.8 Oct 02

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and s

CVE-2025-54289 HIGH POC
8.1 Oct 02

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions

CVE-2025-54288 MEDIUM POC
6.8 Oct 02

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attack

CVE-2025-54293 MEDIUM POC
6.5 Oct 02

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attacker

CVE-2025-54287 MEDIUM POC
6.5 Oct 02

A arbitrary file access vulnerability (CVSS 6.5) that allows an attacker with instance configuration permissions. Risk

CVE-2026-12411 CRITICAL
9.6 Jun 26

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and

CVE-2025-54290 MEDIUM POC
5.3 Oct 02

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to d

CVE-2025-54291 MEDIUM POC
5.3 Oct 02

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remo

CVE-2025-54292 MEDIUM POC
4.6 Oct 02

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attac

CVE-2026-3351 MEDIUM POC
4.3 Mar 03

Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authen

CVE-2026-9640 HIGH
7.2 Jun 26

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project

CVE-2026-28385 MEDIUM
5.0 Jun 26

Server-Side Request Forgery in Canonical LXD's image import endpoint allows authenticated users holding the can_create_i

Share

CVE-2026-9639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy