RSS

Six critical 9.9-CVSS vulnerabilities were found in Canonical's LXD today only

jabrr71 pts0 comments

Overview · canonical/lxd · GitHub

//repos/security/overview" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

//repos/security/overview;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Uh oh!

There was an error while loading. Please reload this page.

canonical

lxd

Public

Notifications<br>You must be signed in to change notification settings

Fork<br>1k

Star<br>4.8k

Security: canonical/lxd

Security

Report a vulnerability

SECURITY.md

Security policy

Supported versions

LXD has two types of releases:

Feature releases

LTS releases

For feature releases, only the latest one is supported, and we usually<br>don't do point releases. Instead, users are expected to wait until the<br>next feature release.

For LTS releases, we do periodic bugfix releases that include an<br>accumulation of bugfixes from the feature releases. Such bugfix releases<br>do not include new features.

What qualifies as a security issue

We don't consider privileged containers to be root safe, so any exploit<br>allowing someone to escape them will not qualify as a security issue.<br>This doesn't mean that we're not interested in preventing such escapes,<br>but we simply do not consider such containers to be root safe.

Unprivileged container escapes are certainly something we'd consider a<br>security issue, especially if somehow facilitated by LXD.

Reporting a vulnerability

The easiest way to report a security issue is through<br>GitHub. See<br>Privately reporting a security<br>vulnerability<br>for instructions.

The LXD GitHub admins will be notified of the issue and will work with you<br>to determine whether the issue qualifies as a security issue and, if so, in<br>which component. We will then handle figuring out a fix, getting a CVE<br>assigned and coordinating the release of the fix to the various Linux<br>distributions.

The Ubuntu Security disclosure and embargo<br>policy contains more<br>information about what you can expect when you contact us, and what we<br>expect from you.

Project restriction bypass in instance copy across projects

GHSA-qx75-2p3r-pwm5

published<br>Jun 26, 2026<br>by<br>tomponline

High

Project restriction bypass for custom volume copy across projects

GHSA-7mr3-28h5-m5vx

published<br>Jun 26, 2026<br>by<br>tomponline

High

Cross-guest volume hijack via DevLXD device patch

GHSA-hhf9-qw4v-72xp

published<br>Jun 26, 2026<br>by<br>tomponline

High

Restricted project bypass leading to arbitrary command execution

GHSA-47w9-6r3f-938g

published<br>Jun 26, 2026<br>by<br>tomponline

Critical

Arbitrary file write on host via `exec-output` symlink in crafted image

GHSA-9j25-mm2h-2f76

published<br>Jun 26, 2026<br>by<br>tomponline

Critical

Arbitrary file read+write on host via templates/ symlink in malicious image

GHSA-jpf8-86f3-wp38

published<br>Jun 26, 2026<br>by<br>tomponline

Critical

Arbitrary file read+write on host via rootfs/ symlink in malicious image

GHSA-vghh-5rfx-xhq8

published<br>Jun 26, 2026<br>by<br>tomponline

Critical

Argument injection in backup compression algorithm leading to AFW and ACE

GHSA-fmc8-p6q7-75cc

published<br>Jun 26, 2026<br>by<br>tomponline

Critical

Arbitrary file write on client due to trusted image hash

GHSA-pjff-c2wc-f6jm

published<br>Jun 26, 2026<br>by<br>tomponline

Critical

CreateCustomVolumeFromBackup nil-pointer dereference on volumes[0].snapshots[*].expires_at

GHSA-j93m-3j9p-m5m8

published<br>Jun 26, 2026<br>by<br>tomponline

Low

Previous 1 2 3 Next

Learn more about advisories related to canonical/lxd in the GitHub Advisory Database

You can’t perform that action at this time.

security ghsa published tomponline releases critical

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.