Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Multiple vulnerabilities in Canonical LXD allowing privilege escalation and host compromise, Patch Immediately!
Image
Veröffentlicht : 13/04/2026
- Last update: 13/04/2026
- Affected software:
→ Canonical LXD Affected versions: <5.0.7 <5.21.5 <6.8.0- Type: Incomplete List of Disallowed Inputs, Improper Input Validation, Improperly Controlled Modification of Dynamically-Determined Object Attributes
- CVE/CVSS
→ CVE-2026-34177: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2026-34178: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2026-34179: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Sources
https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f
https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4
https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5
Risks
These vulnerabilities all require an attacker to be an authenticated user with certain permissions. The attacker can escalate their privileges to cluster admin and host root and upload a corrupted backup to bypass all project restriction enforcement and fully compromise the host from a restricted project. There is a high impact on Availability, Confidentiality and Integrity.
Description
The first vulnerability, CVE-2026-34177, describes an incomplete denylist that allows an attacker with can_edit permission on a VM instance in a restricted project to inject an AppArmor rule and QEMU chardev configuration to bridge the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.
The second vulnerability, CVE-2026-34178, describes a vulnerability where the program checks one configuration file for accordance to the permissions when making a backup, but creates the backup from a different configuration file. Both files are attacker controlled, allowing them to bypass all project restriction enforcement. This backup can be altered and later be uploaded again, fully compromising the instance.
The third vulnerability, CVE-2026-34179, allows a restricted TLS certificate user to escalate to cluster admin by changing their certificate from the client type to the server type. This is not validated and the user certificate persists in the database and on a next connection with this certificate, the attacker gains full admin privileges.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2026-34177
https://nvd.nist.gov/vuln/detail/CVE-2026-34178
https://nvd.nist.gov/vuln/detail/CVE-2026-34179