PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12411 Canonical CVE debrief

CVE-2026-12411 is a HIGH severity vulnerability in Canonical LXD, allowing an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled. The vulnerability has a CVSS score of 8.4 and was published on June 26, 2026. The CVE record and NVD detail provide further information on this vulnerability. A patch is available in the LXD repository. Users should review their LXD configurations and apply the patch to mitigate this vulnerability.

Vendor
Canonical
Product
LXD
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-26
Original CVE updated
2026-07-02
Advisory published
2026-06-26
Advisory updated
2026-07-02

Who should care

Users of Canonical LXD, especially those with untrusted guests, should be aware of this vulnerability and take steps to mitigate it. Reviewing LXD configurations and applying the available patch are crucial to preventing exploitation. Security teams and administrators responsible for LXD deployments should prioritize this vulnerability.

Technical summary

The vulnerability, CVE-2026-12411, is caused by a broken access control in the devLXDInstancePatchHandler component of Canonical LXD. An untrusted guest can exploit this by sending a crafted device PATCH request over /dev/lxd, allowing them to mount, read, and overwrite another guest's custom storage volume if security.devlxd.management.volumes is enabled. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. This indicates a high severity vulnerability that requires local access but can have significant impacts.

Defensive priority

This vulnerability should be prioritized for remediation due to its high severity and the potential for significant impact. Applying the patch provided in the LXD repository is crucial to mitigating this vulnerability.

Recommended defensive actions

  • Review LXD configurations to ensure security.devlxd.management.volumes is not enabled if not required.
  • Apply the patch available in the LXD repository to fix the broken access control.
  • Monitor LXD deployments for any suspicious activity related to device PATCH requests.
  • Consider compensating controls such as restricting access to /dev/lxd.
  • Update inventory to track LXD deployments and their configurations.

Evidence notes

The CVE record and NVD detail provide official information on this vulnerability. Additional references include a patch in the LXD repository and a vendor advisory. The vulnerability allows an untrusted guest to access and modify another guest's storage, indicating a need for immediate remediation.

Official resources

This article is AI-assisted and based on the supplied source corpus.