Denial of Service Vulnerability in LXD by Canonical
CVE-2026-9639

6.5MEDIUM

Key Information:

Vendor

Canonical

Status
Lxd
Vendor
CVE Published:
26 June 2026

What is CVE-2026-9639?

A nil-pointer dereference vulnerability exists in the CreateCustomVolumeFromBackup function within LXD versions up to 6.8 and 5.21. An authenticated user with 'can_create_storage_volumes' permissions can exploit this vulnerability to trigger a denial of service. This occurs when the specially crafted custom-volume backup tarball fails to include the 'expires_at' snapshot field, leading to potential service disruption. It is crucial for users to apply the latest security patches to mitigate any risks.

Affected Version(s)

LXD Linux 5.21.0 < 5.21.5

LXD Linux 6.0 < 6.9

References

https://github.com/canonical/lxd/security/advisories/GHSA...
vdb-entryvendor-advisory
https://github.com/canonical/lxd/pull/18320
patch
https://github.com/canonical/lxd/pull/18390
patch

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.