github.com/canonical/lxd
Go8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/canonical/lxdpage 1 of 1
- CVE-2024-6156LOWCVSS 3.8EG 3.8✓ Fixed in 0.0.0-20240708073652-5a492a3f00362024-12-06
Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.
- CVE-2024-6219LOWCVSS 3.8EG 3.8✓ Fixed in 0.0.0-20240403103450-0e7f2b5bf4d22024-12-06
Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.
- CVE-2025-54288MEDIUMCVSS 6.8EG 6.8✓ Fixed in 5.21.42025-10-02
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration,…
- CVE-2025-54289HIGHCVSS 8.1EG 8.1✓ Fixed in 5.21.42025-10-02
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
- CVE-2025-54291MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.21.42025-10-02
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
- CVE-2026-34177CRITICALCVSS 9.1EG 9.12026-04-09
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual…
- CVE-2026-34178CRITICALCVSS 9.1EG 9.12026-04-09
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that i…
- CVE-2026-34179CRITICALCVSS 9.1EG 9.12026-04-09
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, …
Check whether github.com/canonical/lxd is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/canonical/lxd CVEs against the assets you own.
Start Free Scan →