CVE-2026-9639
Analyzed Analyzed - Analysis Complete

LXD Denial of Service via Nil-Pointer Dereference in Custom Volume Backup

Vulnerability report for CVE-2026-9639, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-02

Assigner: Canonical Ltd.

Description

Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-02
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
canonical lxd From 6.0 (inc) to 6.9 (exc)
canonical lxd From 5.0.0 (inc) to 5.21.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9639 is a denial-of-service vulnerability in the LXD container management system, affecting versions up to 6.8 and 5.21 on Linux.

The issue occurs in the CreateCustomVolumeFromBackup function, where an authenticated user with permission to create storage volumes can upload a specially crafted backup tarball that omits the expires_at snapshot field.

Because the code attempts to dereference this missing expires_at field without checking if it is nil, it causes a nil-pointer dereference leading to a crash of the LXD daemon.

This crash results in a persistent denial of service, as all storage operations on the host or cluster member are aborted until the daemon is manually restarted.

Detection Guidance

This vulnerability occurs when an authenticated user with can_create_storage_volumes permissions uploads a specially crafted custom-volume backup tarball that omits the expires_at snapshot field, causing the LXD daemon to crash due to a nil-pointer dereference.

Detection can involve monitoring the LXD daemon for unexpected crashes or segmentation faults, especially after storage volume backup operations.

Since the attack vector is via the LXD REST API or Unix socket, you can check logs for failed or abnormal storage volume creation or backup restore attempts.

Specific commands to detect this vulnerability are not provided in the available resources.

Impact Analysis

This vulnerability can cause a denial of service on systems running vulnerable versions of LXD.

An authenticated user with permission to create storage volumes can crash the LXD daemon by uploading a malicious backup tarball, causing all storage operations to stop.

The impact is that the affected system or cluster member will be unable to perform storage-related tasks until the daemon is manually restarted, potentially disrupting services and operations.

Compliance Impact

The vulnerability described is a denial-of-service issue that allows an authenticated user with specific permissions to crash the LXD daemon, causing service disruption.

There is no information provided in the context or resources about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The vulnerability is fixed by adding a nil check for the snapshot.ExpiresAt field before dereferencing it in the LXD storage backend.

Immediate mitigation steps include updating LXD to a version that includes the fix, such as versions after 6.8 or 5.21 with the patch applied.

Until the update is applied, restrict or monitor users with can_create_storage_volumes permissions to prevent uploading potentially malicious backup tarballs.

If the daemon crashes, a manual restart is required to restore storage operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart