Description
Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A nil‑pointer dereference in the CreateCustomVolumeFromBackup function allows an authenticated user with can_create_storage_volumes rights to trigger a denial of service by uploading a backup tarball that omits the expires_at field of a snapshot. The error causes the LXD daemon to crash, leading to a service interruption. The weakness corresponds to uninitialized data use, identified as CWE‑476.

Affected Systems

Canonical’s LXD container hypervisor is affected. All releases up to and including LXD 6.8, as well as LXD 5.21, are vulnerable; versions 5.21.5, 6.9, or newer contain the fix. The issue affects Linux deployments of LXD where the backup feature is enabled.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity vulnerability. EPSS is not available, so the current exploitation likelihood is unknown, and the vulnerability is not listed in CISA KEV. An attacker must be authenticated and have the can_create_storage_volumes permission to cause the crash, so the attack vector is local/privileged. If such a user can craft a malicious tarball, the daemon will terminate, resulting in downtime until a restart.

Generated by OpenCVE AI on June 26, 2026 at 17:33 UTC.

Remediation

Vendor Solution

Upgrade to LXD version 5.21.5 or later, or 6.9 or later.

OpenCVE Recommended Actions

  • Upgrade LXD to version 5.21.5 or newer, or 6.9 and above, which contain the fix.
  • Restrict the can_create_storage_volumes permission to trusted administrators to limit who can create custom volume backups.
  • Validate or sanitize backup tarballs before importing, and consider restarting the LXD service to recover promptly after a crash.

Generated by OpenCVE AI on June 26, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical lxd
Vendors & Products Canonical
Canonical lxd

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
Title Authenticated Denial of Service via Malicious Backup Tarball in LXD
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Canonical Lxd
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-06-26T16:02:11.520Z

Reserved: 2026-05-26T18:31:05.985Z

Link: CVE-2026-9639

cve-icon Vulnrichment

Updated: 2026-06-26T16:02:07.362Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:00:08Z

Weaknesses