Description
An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
Published: 2026-03-12
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated unprivileged user can cause the LXD daemon to execute arbitrary commands by abusing the unsanitized compression_algorithm parameter on the image and backup API endpoints. This leads to remote code execution with the privileges of the LXD daemon, effectively granting the attacker full control over the host. The weakness is classified as OS Command Injection (CWE‑78).

Affected Systems

The vulnerability affects Canonical’s LXD product, impacting all versions from 4.12 through 6.6. It was fixed in snap packages 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The 4.0/stable channel, containing version 4.0.10, is not affected.

Risk and Exploitability

The CVSS score of 9.4 marks this issue as critical. The EPSS score of less than 1% indicates a low probability of exploitation, but the attack requires only authenticated access to an unprivileged LXD user. The vulnerability is not yet listed in the KEV catalog, but its impact is severe because it affords control of the host system. The attack vector is through authenticated API calls to the image and backup endpoints, exploiting the missing sanitization of the compression_algorithm parameter.

Generated by OpenCVE AI on March 18, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure you are running a patched LXD snap, such as 5.0.6-e49d9f4 or later, 5.21.4-1374f39 or later, or 6.7-1f11451 or later.
  • If you are not using the snap package, check Canonical’s release notes for equivalent patch releases and upgrade your LXD installation accordingly.
  • Verify the LXD version after upgrading by running lxc --version or snap list lxd.

Generated by OpenCVE AI on March 18, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6184-1 incus security update
Debian DSA Debian DSA DSA-6188-1 lxd security update
History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical lxd
Vendors & Products Canonical
Canonical lxd

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
Title Authenticated RCE via unsanitized compression_algorithm
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Canonical Lxd
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-03-13T16:30:06.396Z

Reserved: 2026-02-27T11:06:14.064Z

Link: CVE-2026-28384

cve-icon Vulnrichment

Updated: 2026-03-13T16:29:53.136Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T15:16:27.247

Modified: 2026-03-13T19:54:31.793

Link: CVE-2026-28384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:47Z

Weaknesses