Home

Description

Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.

PUBLISHED Reserved 2026-03-26 | Published 2026-04-09 | Updated 2026-04-09 | Assigner canonical




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-184 Incomplete list of disallowed inputs

Product status

Default status
unaffected

4.12.0 (semver) before 5.0.7
affected

5.1.0 (semver) before 5.21.5
affected

6.0.0 (semver) before 6.8.0
affected

Credits

Miha Purg finder

References

github.com/...al/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f exploit

github.com/...al/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f (VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf) vdb-entry vendor-advisory

github.com/canonical/lxd/pull/17909 (lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked) patch issue-tracking

cve.org (CVE-2026-34177)

nvd.nist.gov (CVE-2026-34177)

Download JSON