Description
Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
Published: 2026-06-26
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The devLXDInstancePatchHandler component in Canonical LXD contains a broken access control flaw that lets an untrusted guest send a crafted PATCH request to the /dev/lxd endpoint. When the security.devlxd.management.volumes flag is enabled, this flaw permits the guest to mount, read, and overwrite another guest’s custom storage volume, giving unauthorized access to sensitive data and potentially causing denial‑of‑service by corrupting the volume.

Affected Systems

Canonical LXD installations prior to version 6.9 are affected when the security.devlxd.management.volumes setting is enabled. All guests running inside these instances can original privilege level.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score is not available, so the exploitation probability cannot be quantified, but the defect can be exercised by any guest capable of communicating with the /dev/lxd interface. The vulnerability is not listed in the CISA KEV catalog, meaning no documented field‑of‑view exploits exist yet, yet local attackers can already mount other guests’ storage volumes and read or overwrite their data.

Generated by OpenCVE AI on June 26, 2026 at 17:33 UTC.

Remediation

Vendor Solution

Upgrade to LXD version 6.9 or later.

OpenCVE Recommended Actions

  • Upgrade Canonical LXD to version 6.9 or newer to apply the fix for the broken access control flaw.
  • Disable the devlxd management volumes feature by setting security.devlxd.management.volumes to false if an upgrade is not immediately possible, preventing the vulnerability from being exploitable.
  • Verify that containers cannot perform unauthorized PATCH operations by reviewing access logs and monitoring device endpoint usage.

Generated by OpenCVE AI on June 26, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical lxd
Vendors & Products Canonical
Canonical lxd

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
Title Broken Access Control in Canonical LXD DevLXD API
Weaknesses CWE-639
CWE-862
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Canonical Lxd
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-06-26T16:02:55.284Z

Reserved: 2026-06-16T15:07:27.771Z

Link: CVE-2026-12411

cve-icon Vulnrichment

Updated: 2026-06-26T16:02:51.096Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T00:30:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-862

    Missing Authorization