CVE-2026-34178
LXD: Importing a crafted backup leads to project restriction bypass
Description
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
How to fix CVE-2026-34178
To remediate CVE-2026-34178, upgrade the affected package to a fixed version below.
- —upgrade to 6.0.4-2+deb13u6 or later
- —no fix listed
- —no fix listed
Is CVE-2026-34178 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 6.0.4-2+deb13u6
- from 0
- >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |