A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.
Advisories
| Source | ID | Title |
|---|---|---|
Debian DSA |
DSA-6373-1 | lxd security update |
Fixes
Solution
Upgrade to LXD version 6.9 or later, 5.21.5 or later, or 5.0.7 or later.
Workaround
No workaround given by the vendor.
References
History
Fri, 26 Jun 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Canonical
Canonical lxd |
|
| Vendors & Products |
Canonical
Canonical lxd |
Fri, 26 Jun 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 26 Jun 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access. | |
| Title | LXD Snapshot Import Privilege Escalation Vulnerability | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: canonical
Published:
Updated: 2026-06-30T03:55:24.628Z
Reserved: 2026-05-26T18:31:24.593Z
Link: CVE-2026-9640
Updated: 2026-06-26T16:00:17.949Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-26T23:30:05Z
Weaknesses
Debian DSA