Platform
go
Component
github.com/canonical/lxd
Opgelost in
5.0.7
5.21.5
6.8.0
0.0.1
CVE-2026-34177 is a critical remote code execution (RCE) vulnerability affecting LXD, a container management platform. This flaw allows a user with can_edit permission on a VM instance within a restricted project to gain full cluster administrator access by bypassing project restrictions. Affected versions include those prior to 6.8.0. A fix has been released in version 6.8.0.
The vulnerability stems from a missing check in the isVMLowLevelOptionForbidden function within LXD's permissions handling. Specifically, raw.apparmor and raw.qemu.conf are not included in the list of forbidden low-level options. An attacker can exploit this by combining these omissions to bridge the LXD unix socket into the guest VM. This effectively allows them to inject raw configuration data, bypassing the intended security control (restricted.virtual-machines.lowlevel=block). Successful exploitation grants the attacker complete control over the LXD cluster, enabling them to create, modify, and delete containers, networks, and storage volumes, potentially leading to complete system compromise and data exfiltration. The blast radius extends to all resources managed by the LXD cluster.
This vulnerability was publicly disclosed on 2026-04-10. While no active exploitation campaigns have been publicly reported, the critical severity and the availability of detailed information suggest a high probability of exploitation. The vulnerability's impact is significant, allowing for complete cluster takeover. It is recommended to prioritize patching. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on LXD for container orchestration and virtualization are at significant risk. Specifically, environments with multiple users having can_edit permissions on VM instances within restricted projects are particularly vulnerable. Shared hosting environments utilizing LXD also pose a heightened risk due to the potential for cross-tenant exploitation.
• linux / server:
journalctl -u lxd | grep -i 'forbidden lowlevel option'• linux / server:
ps aux | grep -i 'lxd' | grep -i 'raw.apparmor'• generic web:
Check LXD API endpoints for unauthorized configuration changes using curl or wget.
disclosure
Exploit Status
EPSS
0.14% (33% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade LXD to version 6.8.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a temporary workaround by manually adding raw.apparmor and raw.qemu.conf to the forbidden low-level options list within the LXD project configuration. This can be achieved by modifying the project's configuration file. Monitor LXD logs for suspicious activity, particularly attempts to modify VM configurations or access restricted resources. After upgrading, verify the fix by attempting to inject raw configuration options into a VM and confirming that the operation is denied.
Actualice a la versión 6.8.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige la denylist incompleta que permite el bypass de las restricciones de bajo nivel en las máquinas virtuales, previniendo la escalada de privilegios.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34177 is a critical remote code execution vulnerability in LXD versions prior to 6.8.0. It allows attackers to gain full cluster administrator access by bypassing project restrictions.
You are affected if you are running LXD versions prior to 6.8.0. Check your LXD version and upgrade immediately if necessary.
Upgrade LXD to version 6.8.0 or later. As a temporary workaround, manually add raw.apparmor and raw.qemu.conf to the forbidden low-level options list in your project configuration.
While no active exploitation campaigns have been publicly reported, the critical severity and available information suggest a high probability of exploitation. Prioritize patching.
Refer to the official LXD security advisory for detailed information and updates: [https://github.com/lxd/lxd/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.