CVE-2026-9639
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Canonical | LXD | 5.21.0 < 5.21.5 | affected |
| Canonical | LXD | 6.0 < 6.9 | affected |
Weaknesses
- CWE-476: CWE-476 NULL pointer dereference
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8
- https://github.com/canonical/lxd/pull/18320
- https://github.com/canonical/lxd/pull/18390
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.