Platform
go
Component
github.com/canonical/lxd
Fixed in
5.0.7
5.21.5
6.8.0
0.0.1
CVE-2026-34177 is a critical remote code execution (RCE) vulnerability affecting LXD, a container management platform. This flaw allows a user with can_edit permission on a VM instance within a restricted project to gain full cluster administrator access by bypassing project restrictions. Affected versions include those prior to 6.8.0. A fix has been released in version 6.8.0.
The vulnerability stems from a missing check in the isVMLowLevelOptionForbidden function within LXD's permissions handling. Specifically, raw.apparmor and raw.qemu.conf are not included in the list of forbidden low-level options. An attacker can exploit this by combining these omissions to bridge the LXD unix socket into the guest VM. This effectively allows them to inject raw configuration data, bypassing the intended security control (restricted.virtual-machines.lowlevel=block). Successful exploitation grants the attacker complete control over the LXD cluster, enabling them to create, modify, and delete containers, networks, and storage volumes, potentially leading to complete system compromise and data exfiltration. The blast radius extends to all resources managed by the LXD cluster.
This vulnerability was publicly disclosed on 2026-04-10. While no active exploitation campaigns have been publicly reported, the critical severity and the availability of detailed information suggest a high probability of exploitation. The vulnerability's impact is significant, allowing for complete cluster takeover. It is recommended to prioritize patching. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.14% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade LXD to version 6.8.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a temporary workaround by manually adding raw.apparmor and raw.qemu.conf to the forbidden low-level options list within the LXD project configuration. This can be achieved by modifying the project's configuration file. Monitor LXD logs for suspicious activity, particularly attempts to modify VM configurations or access restricted resources. After upgrading, verify the fix by attempting to inject raw configuration options into a VM and confirming that the operation is denied.
Update to version 6.8.0 or later to mitigate the vulnerability. This update corrects the incomplete denylist that allows low-level restrictions bypass on virtual machines, preventing privilege escalation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34177 is a critical remote code execution vulnerability in LXD versions prior to 6.8.0. It allows attackers to gain full cluster administrator access by bypassing project restrictions.
You are affected if you are running LXD versions prior to 6.8.0. Check your LXD version and upgrade immediately if necessary.
Upgrade LXD to version 6.8.0 or later. As a temporary workaround, manually add raw.apparmor and raw.qemu.conf to the forbidden low-level options list in your project configuration.
While no active exploitation campaigns have been publicly reported, the critical severity and available information suggest a high probability of exploitation. Prioritize patching.
Refer to the official LXD security advisory for detailed information and updates: [https://github.com/lxd/lxd/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.