Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
API-reachable with low complexity, needs an existing operator account (PR:L); escaping a confined project to host root is a scope change (S:C) with full host compromise.
Primary rating from Vendor (canonical).
CVSS VectorVendor: canonical
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.
AnalysisAI
Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project operator in a restricted multi-tenant deployment to escape tenant confinement and obtain host root. Because project-restriction policies are not re-validated when an instance backup is imported and its snapshot restored, an operator can smuggle restricted configuration keys into a snapshot, restore them onto the live instance, and start it to gain unauthorized root on the host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete conditions drawn from the description: (1) LXD must be deployed as a restricted multi-tenant environment with project-restriction policies in force - single-tenant or unrestricted installs are not affected; (2) the attacker must already hold an authenticated project operator account in such a restricted project (PR:H), so this is not anonymous; and (3) the attacker must be able to import an instance backup and restore a snapshot, with the backup maliciously crafted to embed restricted configuration keys inside a snapshot definition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base 7.2 High) reflects a network-reachable LXD API, low attack complexity, and full host compromise, but is gated behind high privileges (an existing project operator account) and, critically, a non-default deployment: this is only exploitable where LXD is configured for restricted multi-tenant projects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant operator on a shared LXD host crafts an instance backup whose snapshot definition contains restricted configuration keys (for example security/privilege or restricted volatile keys) that project policy would normally reject. They import the backup into their restricted project and restore the snapshot; LXD applies the restricted keys to the live instance without policy validation, and starting that instance yields root on the underlying host. … |
| Remediation | Vendor-released patch: upgrade to LXD 6.9, 5.21.5, or 5.0.7 or later depending on your branch, per advisory GHSA-ppq7-4492-5552 (https://github.com/canonical/lxd/security/advisories/GHSA-ppq7-4492-5552); the corresponding code fixes are in https://github.com/canonical/lxd/pull/18301, /18303 and /18304. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all LXD deployments and identify systems running affected versions (6.0-6.8, 5.21.0-5.21.4, 5.0.0-5.0.6); prioritize multi-tenant configurations and restrict project operator access as interim measure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and s
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attack
Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attacker
A arbitrary file access vulnerability (CVSS 6.5) that allows an attacker with instance configuration permissions. Risk
Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and
Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to d
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remo
Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attac
Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authen
Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_stor
Server-Side Request Forgery in Canonical LXD's image import endpoint allows authenticated users holding the can_create_i
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39794