Zero Day MonitorZDM

← Back to list

9.1

CVE-2026-34178PATCHED

canonical · lxd

Importing a crafted backup leads to project restriction bypass

Description

In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.

Affected Products

Vendor	Product	Versions
canonical	lxd	4.12.0, 5.1.0, 6.0.0

References

https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4(vdb-entry, vendor-advisory)
https://github.com/canonical/lxd/pull/17921(patch, issue-tracking)

Related News (1 articles)

Tier C

VulDB25d ago

CVE-2026-34178 | Canonical LXD up to 5.0.6/5.21.4/6.7.x Backup Import backup/index.yaml input validation

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

5.0.75.21.56.8.0

CWECWE-20

PublishedApr 9, 2026

Last enriched25d agov2

Tags

CVE-2026-34178

Trending Score3

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-23268

apparmor: fix unprivileged local user can do privileged policy management

Linux kernel vulnerabilities in Ubuntu 20.04 LTS and 24.04 LTS

CRITICALCVE-2026-6369

Exposed Session Token in canonical-livepatch client snap

CRITICALCVE-2026-34179

Update of type field in restricted TLS certificate allows privilege escalation to cluster admin

HIGHCVE-2026-23269

apparmor: validate DFA start states are in bounds in unpack_pdb

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: affectedVersions, tags

Apr 9, 2026

Patch Available

Apr 9, 2026

Version History

v2

Last enriched 25d ago

v2Tier C25d ago

Updated affected versions to include 5.0.6, 5.21.4, and 6.7.x, and noted that there is no exploit available.

affectedVersionstags

via VulDB

v125d ago

Initial creation