CVE-2026-28384
Command Injection via Improper Sanitization in Canonical LXD API
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | lxd | From 4.12 (inc) to 6.6 (inc) |
| canonical | lxd | 5.0.6-e49d9f4 |
| canonical | lxd | 5.21.4-1374f39 |
| canonical | lxd | 6.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade the LXD snap to a fixed version that includes the patch for CVE-2026-28384.
- Run the command: sudo snap refresh lxd
Ensure your LXD snap version is at least 5.0.6-e49d9f4 (5.0/stable), 5.21.4-1374f39 (5.21/stable), or 6.7-1f11451 (6.0 stable) to be protected against this vulnerability.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28384 is a critical security vulnerability in Canonical LXD that arises from improper sanitization of the compression_algorithm parameter used in image and backup API endpoints.'}, {'type': 'paragraph', 'content': 'An authenticated but unprivileged user can exploit this flaw by injecting arbitrary commands through the compression_algorithm parameter, which is shell-parsed and executed by the LXD daemon with root privileges.'}, {'type': 'paragraph', 'content': 'The vulnerability exists because the compression_algorithm string is executed without strict validation, allowing attackers to run commands like bash -c "malicious_command" on the host system.'}, {'type': 'paragraph', 'content': 'This issue affects LXD versions from 4.12 through 6.6 and was fixed in later snap releases by implementing strict allowlist validation of compression algorithms and rejecting unsupported or potentially harmful inputs.'}] [3, 5]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an authenticated user with limited privileges to execute arbitrary commands as the LXD daemon, which runs as root, effectively leading to full host system compromise.'}, {'type': 'paragraph', 'content': 'Exploitation can result in container or virtual machine escape, lateral movement within clustered LXD environments, and breaches in multi-tenant shared setups.'}, {'type': 'paragraph', 'content': "Attackers can gain full control over the host's filesystem and memory, modify or delete data, and cause denial of service, impacting confidentiality, integrity, and availability at the highest levels."}, {'type': 'paragraph', 'content': 'The attack complexity is low, requiring only a single crafted API request with valid credentials and entitlements to create images or manage backups.'}] [3, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect if your system is affected by checking the installed LXD snap version and revision against the fixed versions.
- Run the command: snap list | grep lxd
Compare the installed version and revision with the fixed versions: 5.0.6-e49d9f4 (5.0/stable), 5.21.4-1374f39 (5.21/stable), and 6.7-1f11451 (6.0 stable). Versions from 4.12 through 6.6 are vulnerable.