Skip to main content

Lxd

17 CVEs product

Monthly

CVE-2026-28385 MEDIUM PATCH This Month

Server-Side Request Forgery in Canonical LXD's image import endpoint allows authenticated users holding the can_create_images entitlement to direct the LXD daemon to make arbitrary outbound HTTP connections, including to loopback addresses, RFC1918 private ranges, and cloud instance metadata services such as 169.254.169.254. Affected versions span 4.12 through 6.9. An attacker can leverage error-based responses to enumerate internal TCP ports and fingerprint internal HTTP services from the daemon's privileged network position, enabling lateral reconnaissance in multi-tenant or cloud-hosted environments. No public exploit code has been identified at time of analysis, and CISA has not listed this in KEV.

SSRF Canonical Lxd
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-9640 HIGH PATCH This Week

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project operator in a restricted multi-tenant deployment to escape tenant confinement and obtain host root. Because project-restriction policies are not re-validated when an instance backup is imported and its snapshot restored, an operator can smuggle restricted configuration keys into a snapshot, restore them onto the live instance, and start it to gain unauthorized root on the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch and the fixing source code are available.

Authentication Bypass Privilege Escalation Lxd
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-9639 MEDIUM PATCH This Month

Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_storage_volumes permissions to crash the LXD daemon via a crafted backup tarball, affecting all containers running on the host. Versions up to 6.8 (current branch) and 5.21 (LTS branch) on Linux are vulnerable. No public exploit or CISA KEV listing exists at time of analysis, but upstream fix commits are available from Canonical.

Denial Of Service Null Pointer Dereference Lxd
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-12411 CRITICAL PATCH Act Now

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and overwrite the custom storage volumes owned by other guests on the same host, breaking tenant isolation. Exploitation requires the non-default security.devlxd.management.volumes option to be enabled, and is fixed in LXD 6.9. Rated CVSS 9.6 with a scope change and CISA SSVC 'total' technical impact; SSVC lists exploitation as proof-of-concept, but EPSS is very low (0.11%, 1st percentile) and it is not in CISA KEV.

Authentication Bypass Canonical Lxd
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-3351 Go MEDIUM POC PATCH This Month

Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authenticated users with restricted privileges to enumerate all certificate fingerprints trusted by the server. Public exploit code exists for this vulnerability. While this enables information disclosure with limited impact, it could facilitate further attacks by revealing trust relationships on the system.

Linux Lxd Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54293 Go MEDIUM POC PATCH This Month

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

Path Traversal Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-54292 MEDIUM POC PATCH This Month

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

Path Traversal Ubuntu Lxd Suse
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-54291 Go MEDIUM POC PATCH This Month

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

Information Disclosure Debian Lxd Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-54290 Go MEDIUM POC PATCH This Month

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

Information Disclosure Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-54289 Go HIGH POC PATCH This Week

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

Privilege Escalation Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-54288 Go MEDIUM POC PATCH This Month

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.

Authentication Bypass Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-54287 Go MEDIUM POC PATCH This Month

A arbitrary file access vulnerability (CVSS 6.5) that allows an attacker with instance configuration permissions. Risk factors: public PoC available.

Code Injection Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-54286 Go HIGH POC PATCH This Week

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

CSRF Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2024-6219 Go LOW POC PATCH Monitor

Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Lxd
NVD GitHub
CVSS 3.1
3.8
EPSS
0.2%
CVE-2024-6156 Go LOW POC PATCH Monitor

Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Lxd
NVD GitHub
CVSS 3.1
3.8
EPSS
0.2%
CVE-2016-1582 MEDIUM This Month

LXD before 2.0.2 does not properly set permissions when switching an unprivileged container into privileged mode, which allows local users to access arbitrary world readable paths in the container. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ubuntu Linux Lxd
NVD
CVSS 3.0
5.5
EPSS
0.0%
CVE-2016-1581 MEDIUM This Month

LXD before 2.0.2 uses world-readable permissions for /var/lib/lxd/zfs.img when setting up a loop based ZFS pool, which allows local users to copy and read data from arbitrary containers via. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Ubuntu Linux Lxd
NVD
CVSS 3.0
5.5
EPSS
0.0%
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Server-Side Request Forgery in Canonical LXD's image import endpoint allows authenticated users holding the can_create_images entitlement to direct the LXD daemon to make arbitrary outbound HTTP connections, including to loopback addresses, RFC1918 private ranges, and cloud instance metadata services such as 169.254.169.254. Affected versions span 4.12 through 6.9. An attacker can leverage error-based responses to enumerate internal TCP ports and fingerprint internal HTTP services from the daemon's privileged network position, enabling lateral reconnaissance in multi-tenant or cloud-hosted environments. No public exploit code has been identified at time of analysis, and CISA has not listed this in KEV.

SSRF Canonical Lxd
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project operator in a restricted multi-tenant deployment to escape tenant confinement and obtain host root. Because project-restriction policies are not re-validated when an instance backup is imported and its snapshot restored, an operator can smuggle restricted configuration keys into a snapshot, restore them onto the live instance, and start it to gain unauthorized root on the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch and the fixing source code are available.

Authentication Bypass Privilege Escalation Lxd
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_storage_volumes permissions to crash the LXD daemon via a crafted backup tarball, affecting all containers running on the host. Versions up to 6.8 (current branch) and 5.21 (LTS branch) on Linux are vulnerable. No public exploit or CISA KEV listing exists at time of analysis, but upstream fix commits are available from Canonical.

Denial Of Service Null Pointer Dereference Lxd
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and overwrite the custom storage volumes owned by other guests on the same host, breaking tenant isolation. Exploitation requires the non-default security.devlxd.management.volumes option to be enabled, and is fixed in LXD 6.9. Rated CVSS 9.6 with a scope change and CISA SSVC 'total' technical impact; SSVC lists exploitation as proof-of-concept, but EPSS is very low (0.11%, 1st percentile) and it is not in CISA KEV.

Authentication Bypass Canonical Lxd
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authenticated users with restricted privileges to enumerate all certificate fingerprints trusted by the server. Public exploit code exists for this vulnerability. While this enables information disclosure with limited impact, it could facilitate further attacks by revealing trust relationships on the system.

Linux Lxd Suse
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

Path Traversal Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC PATCH This Month

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

Path Traversal Ubuntu Lxd +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

Information Disclosure Debian Lxd +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

Information Disclosure Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

Privilege Escalation Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.

Authentication Bypass Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

A arbitrary file access vulnerability (CVSS 6.5) that allows an attacker with instance configuration permissions. Risk factors: public PoC available.

Code Injection Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

CSRF Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 3.8
LOW POC PATCH Monitor

Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Lxd
NVD GitHub
EPSS 0% CVSS 3.8
LOW POC PATCH Monitor

Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Lxd
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

LXD before 2.0.2 does not properly set permissions when switching an unprivileged container into privileged mode, which allows local users to access arbitrary world readable paths in the container. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ubuntu Linux Lxd
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

LXD before 2.0.2 uses world-readable permissions for /var/lib/lxd/zfs.img when setting up a loop based ZFS pool, which allows local users to copy and read data from arbitrary containers via. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Ubuntu Linux Lxd
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy