Skip to main content

Canonical EUVDEUVD-2026-20872

| CVE-2026-34177 CRITICAL
Incomplete List of Disallowed Inputs (CWE-184)
2026-04-09 canonical GHSA-fm2x-c5qw-4h6f
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 21:07 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 09:30 euvd
EUVD-2026-20872
Analysis Generated
Apr 09, 2026 - 09:30 vuln.today
Patch released
Apr 09, 2026 - 09:30 nvd
Patch available
CVE Published
Apr 09, 2026 - 09:15 nvd
CRITICAL 9.1

DescriptionCVE.org

Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.

AnalysisAI

Privilege escalation in Canonical LXD 4.12-6.7 allows authenticated remote attackers with VM instance editing rights to bypass project restrictions via incomplete denylist validation. Attackers inject AppArmor rules and QEMU chardev configurations through unblocked raw.apparmor and raw.qemu.conf keys, bridging the LXD Unix socket into guest VMs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as VM editor in restricted project
Delivery
Inject raw.apparmor and raw.qemu.conf rules
Exploit
Bridge LXD Unix socket into guest VM
Execution
Escape VM and escalate to LXD administrator
Impact
Gain host root access

Vulnerability AssessmentAI

Exploitation Canonical LXD 4.12–6.7 with restricted.virtual-machines.lowlevel=block project restriction enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.1 reflects critical severity with network accessibility and high impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Authenticated attacker with can_edit VM permissions injects raw.apparmor and raw.qemu.conf directives to bridge LXD Unix socket into guest, escalating to cluster administrator then host root. No public exploit identified at time of analysis.
Remediation Vendor-released patch: Upgrade to Canonical LXD version 6.8 or later, which implements complete denylist validation blocking raw.apparmor and raw.qemu.conf keys in restricted projects. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all LXD deployments running versions 4.12-6.7 and restrict VM instance editing permissions to trusted administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2026-32731 CRITICAL
9.9 Mar 18

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to

CVE-2026-40453 CRITICAL
9.9 Apr 27

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such a

CVE-2026-48753 CRITICAL POC
9.9 Jun 26

Arbitrary host file write in Incus before 7.1.0 lets a holder of S3 bucket credentials escape the storage volume via a p

CVE-2026-54350 CRITICAL
9.8 Jun 23

{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB

CVE-2026-12411 CRITICAL
9.6 Jun 26

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and

CVE-2026-44257 CRITICAL
9.3 May 12

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk usin

CVE-2026-41583 CRITICAL
9.3 May 08

Consensus failure in Zebra nodes before 4.3.1 allows remote attackers to trigger network partitioning by submitting V4 o

CVE-2026-34179 CRITICAL
9.1 Apr 09

Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to

CVE-2025-4404 CRITICAL
9.1 Jun 17

Critical privilege escalation vulnerability in FreeIPA that allows authenticated users with high privileges to create Ke

Vendor StatusVendor

SUSE

Severity: Critical

Share

EUVD-2026-20872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy