CVE-2026-9639
Received Received - Intake
LXD Denial of Service via Nil-Pointer Dereference in Custom Volume Backup

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Canonical Ltd.

Description
Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-9639
EUVD
EUVD-2026-39789
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
canonical lxd to 6.8 (inc)
canonical lxd 5.21
canonical lxd 5.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9639 is a denial-of-service vulnerability in the LXD container management system, affecting versions up to 6.8 and 5.21 on Linux.

The issue occurs in the CreateCustomVolumeFromBackup function, where an authenticated user with permission to create storage volumes can upload a specially crafted backup tarball that omits the expires_at snapshot field.

Because the code attempts to dereference this missing expires_at field without checking if it is nil, it causes a nil-pointer dereference leading to a crash of the LXD daemon.

This crash results in a persistent denial of service, as all storage operations on the host or cluster member are aborted until the daemon is manually restarted.

Impact Analysis

This vulnerability can cause a denial of service on systems running vulnerable versions of LXD.

An authenticated user with permission to create storage volumes can crash the LXD daemon by uploading a malicious backup tarball, causing all storage operations to stop.

The impact is that the affected system or cluster member will be unable to perform storage-related tasks until the daemon is manually restarted, potentially disrupting services and operations.

Detection Guidance

This vulnerability occurs when an authenticated user with can_create_storage_volumes permissions uploads a specially crafted custom-volume backup tarball that omits the expires_at snapshot field, causing the LXD daemon to crash due to a nil-pointer dereference.

Detection can involve monitoring the LXD daemon for unexpected crashes or segmentation faults, especially after storage volume backup operations.

Since the attack vector is via the LXD REST API or Unix socket, you can check logs for failed or abnormal storage volume creation or backup restore attempts.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The vulnerability is fixed by adding a nil check for the snapshot.ExpiresAt field before dereferencing it in the LXD storage backend.

Immediate mitigation steps include updating LXD to a version that includes the fix, such as versions after 6.8 or 5.21 with the patch applied.

Until the update is applied, restrict or monitor users with can_create_storage_volumes permissions to prevent uploading potentially malicious backup tarballs.

If the daemon crashes, a manual restart is required to restore storage operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart