Platform
go
Component
github.com/canonical/lxd
Fixed in
5.0.7
5.21.5
6.8.0
0.0.1
CVE-2026-34178 represents a critical Remote Code Execution (RCE) vulnerability discovered in the LXD container management system. This flaw arises from a discrepancy in how instance backups are imported, allowing an attacker to craft malicious backups that bypass project restrictions and potentially gain unauthorized control. The vulnerability affects LXD versions up to 0.0.0-20260226085519-736f34afb267, and a fix is available in version 6.8.0.
CVE-2026-34178 in LXD allows an attacker to bypass project restrictions during backup import. LXD validates project restrictions against backup/index.yaml within the tar archive, but creates the actual instance from backup/container/backup.yaml extracted to the storage volume. Because these are separate, independently attacker-controlled files within the same tar archive, an attacker with instance-creation rights in a restricted project can craft a backup where index.yaml contains clean configuration (passing all restriction checks) while backup.yaml contains configurations that allow unauthorized code execution or access to restricted resources. This could lead to privilege escalation, unauthorized access to sensitive data, or the execution of malicious code within the project, even if the project is designed to be isolated.
An attacker needs to have permissions to create instances within a restricted project. They can craft a malicious backup containing an index.yaml that passes the initial restriction validations, but a backup.yaml that contains configurations allowing malicious code execution or unauthorized access to resources. Importing this backup will cause LXD to create the instance using the configuration from backup.yaml, bypassing the restrictions defined in index.yaml. This is particularly concerning in multi-tenant environments where projects are designed to be isolated.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34178 is to upgrade LXD to version 6.8.0 or later. This version patches the vulnerability by validating project restrictions against both files (index.yaml and backup.yaml) during the backup import process. As an additional precaution, carefully review all imported backups, especially those from untrusted sources. Furthermore, implementing robust security policies that limit instance creation privileges and access to resources can help reduce the potential impact of this vulnerability.
Upgrade to LXD version 6.8.0 or later. This version fixes the vulnerability by validating project restrictions against the correct file in the imported backup, preventing the possibility of bypassing restrictions and compromising the host.
Vulnerability analysis and critical alerts directly to your inbox.
LXD is a type 1 virtualization system that provides a simple and secure way to create and manage Linux containers.
This vulnerability allows an attacker to bypass LXD security restrictions, which could lead to privilege escalation and unauthorized access to data.
Upgrade LXD to version 6.8.0 or later as soon as possible.
Carefully review all imported backups and implement robust security policies.
If you have imported backups from untrusted sources, you may have been affected. Monitor your system for suspicious activity.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.