CVE-2025-54286
BaseFortify
Publication date: 2025-10-02
Last updated on: 2025-10-22
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| canonical | lxd | From 5.0.0 (inc) to 5.0.5 (exc) |
| canonical | lxd | From 5.21.0 (inc) to 5.21.4 (exc) |
| canonical | lxd | From 6.1 (inc) to 6.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the LXD-UI component of Canonical LXD versions 5.0 and above on Linux. It allows an attacker to trick a user into submitting crafted HTML forms that exploit client certificate authentication, enabling the attacker to create and start container instances without the user's consent.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can create and start container instances on your system without your permission. This unauthorized action could lead to resource misuse, potential deployment of malicious containers, and compromise of system integrity.