LXD Snapshot Import Privilege Escalation Vulnerability_CVE-2026-9640

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.

Basic Information

ID CVE-2026-9640

Source canonical

Published Jun 26, 2026 at 15:50

Modified Jun 26, 2026 at 16:00

Affected Product

Vendor Canonical

Product LXD

Version 5.21.0

Affected Versions Canonical LXD 5.21.0
Canonical LXD 5.0.0
Canonical LXD 6.0

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.",
    "published": "2026-06-26T15:50:38.453Z",
    "modified": "2026-06-26T16:00:24.172Z",
    "type": "cve",
    "title": "LXD Snapshot Import Privilege Escalation Vulnerability",
    "source": "canonical",
    "references": "https://github.com/canonical/lxd/security/advisories/GHSA-ppq7-4492-5552\nhttps://github.com/canonical/lxd/pull/18301\nhttps://github.com/canonical/lxd/pull/18303\nhttps://github.com/canonical/lxd/pull/18304",
    "id": "CVE-2026-9640",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Canonical LXD 5.21.0\nCanonical LXD 5.0.0\nCanonical LXD 6.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LXD",
    "version": "5.21.0",
    "vendor": "Canonical",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}