CVE-2026-28384

EUVD-2026-11585

12.03.2026, 15:16

An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
canonical	CNA	9.4 CRITICAL	NETWORK	LOW	LOW	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
canonical	lxd	6.0 ≤ 𝑥 < 6.7	CNA
canonical	lxd	5.21.0 ≤ 𝑥 < 5.21.4	CNA
canonical	lxd	5.0.0 ≤ 𝑥 < 5.0.6	CNA
canonical	lxd	4.12	CNA

Ubuntu Releases

Ubuntu Product

Codename

lxd

bionic	not-affected
focal	not-affected
jammy	dne
noble	dne
questing	dne
xenial	not-affected

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

https://discourse.ubuntu.com/t/lxd-authenticated-remote-code-execution-fixes-available/78365

https://github.com/canonical/lxd/commit/043696a13171ace7dd4c2b32d34ce039ab629052

https://github.com/canonical/lxd/commit/7046979645c2ce1b63b2f9e60ddf6cbc4c4b78f9

https://github.com/canonical/lxd/commit/b7b411caf5c4971bfe2386c72128f44d7e2aaf4f

https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g