PatchSiren cyber security CVE debrief
CVE-2026-9639 Canonical CVE debrief
CVE-2026-9639 is a medium-severity vulnerability in LXD, a container hypervisor, that allows an authenticated user with 'can_create_storage_volumes' permissions to cause a denial of service. The vulnerability is due to a nil-pointer dereference in the 'CreateCustomVolumeFromBackup' function. An attacker can exploit this vulnerability by providing a specially crafted custom-volume backup tarball that omits the 'expires_at' snapshot field. This vulnerability affects LXD versions up to 6.8 and 5.21 on Linux.
- Vendor
- Canonical
- Product
- Lxd
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-07-02
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-07-02
Who should care
Users of LXD, particularly those with LXD versions up to 6.8 and 5.21, should be aware of this vulnerability. Authenticated users with 'can_create_storage_volumes' permissions are potentially able to exploit this vulnerability. Administrators of Linux systems using LXD should assess their exposure and take necessary mitigation steps.
Technical summary
The vulnerability is caused by a nil-pointer dereference in the 'CreateCustomVolumeFromBackup' function of LXD. This function is used to create a custom volume from a backup. The vulnerability can be exploited by an authenticated user with 'can_create_storage_volumes' permissions, who can provide a specially crafted custom-volume backup tarball that omits the 'expires_at' snapshot field, leading to a denial of service.
Defensive priority
Medium priority should be given to patching LXD versions up to 6.8 and 5.21. Administrators should ensure that only authorized users have 'can_create_storage_volumes' permissions.
Recommended defensive actions
- Patch LXD to version 6.9 or later, or 5.21.5 or later.
- Restrict 'can_create_storage_volumes' permissions to only necessary users.
- Monitor LXD logs for suspicious activity.
- Perform regular security audits of LXD configurations and user permissions.
- Consider implementing additional security controls, such as network access controls and intrusion detection systems.
Evidence notes
The CVE-2026-9639 vulnerability was made public on June 26, 2026, and last modified on July 2, 2026. The vulnerability affects LXD versions up to 6.8 and 5.21 on Linux. The CVSS score for this vulnerability is 6.5, with a severity rating of Medium.
Official resources
-
CVE-2026-9639 CVE record
CVE.org
-
CVE-2026-9639 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory
This article was generated with AI assistance based on the supplied source corpus.