Command Execution Vulnerability in Canonical LXD Affects Multiple Versions
CVE-2026-28384

9.4CRITICAL

Key Information:

Vendor

Canonical

Status
Lxd
Vendor
CVE Published:
12 March 2026

What is CVE-2026-28384?

An issue in Canonical LXD allows authenticated, unprivileged users to execute arbitrary commands with the permissions of the LXD daemon. This vulnerability arises from the improper sanitization of the 'compression_algorithm' parameter when making API calls to the image and backup endpoints. This flaw affected multiple versions of LXD, including versions from 4.12 to 6.6, and has been remedied in specific stable snap releases. Importantly, version 4.0.10 and earlier are not impacted by this vulnerability.

Affected Version(s)

lxd Linux 6.0 < 6.7

lxd Linux 5.21.0 < 5.21.4

lxd Linux 5.0.0 < 5.0.6

References

https://github.com/canonical/lxd/security/advisories/GHSA...
vendor-advisory
https://github.com/canonical/lxd/commit/043696a13171ace7d...
patch
https://github.com/canonical/lxd/commit/7046979645c2ce1b6...
patch

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.