CVE-2026-12411 (GCVE-0-2026-12411)
Vulnerability from cvelistv5 – Published: 2026-06-26 15:27 – Updated: 2026-06-26 16:02
VLAI
Title
Broken Access Control in Canonical LXD DevLXD API
Summary
Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
Severity
8.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/canonical/lxd/security/advisor… | vdb-entryvendor-advisory |
| https://github.com/canonical/lxd/pull/18585 | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12411",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:02:35.514095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:02:55.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "lxd",
"platforms": [
"Linux"
],
"product": "lxd",
"programFiles": [
"permissions.go"
],
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.9",
"status": "affected",
"version": "6.6",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest\u0027s custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled."
}
],
"impacts": [
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "Manipulating User-Controlled Variables"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:27:55.111Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "Cross-guest volume hijack via DevLXD device patch",
"tags": [
"vdb-entry",
"vendor-advisory"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
},
{
"name": "Security fixes from the 6.9 release",
"tags": [
"patch"
],
"url": "https://github.com/canonical/lxd/pull/18585"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to LXD version 6.9 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken Access Control in Canonical LXD DevLXD API"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-12411",
"datePublished": "2026-06-26T15:27:55.111Z",
"dateReserved": "2026-06-16T15:07:27.771Z",
"dateUpdated": "2026-06-26T16:02:55.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-12411\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-26T16:02:35.514095Z\"}}}], \"references\": [{\"url\": \"https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-26T16:02:51.096Z\"}}], \"cna\": {\"title\": \"Broken Access Control in Canonical LXD DevLXD API\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-77\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"Manipulating User-Controlled Variables\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/canonical/lxd\", \"vendor\": \"Canonical\", \"product\": \"lxd\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.6\", \"lessThan\": \"6.9\", \"versionType\": \"semver\"}], \"platforms\": [\"Linux\"], \"packageName\": \"lxd\", \"programFiles\": [\"permissions.go\"], \"collectionURL\": \"https://github.com/canonical\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to LXD version 6.9 or later.\"}], \"references\": [{\"url\": \"https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp\", \"name\": \"Cross-guest volume hijack via DevLXD device patch\", \"tags\": [\"vdb-entry\", \"vendor-advisory\"]}, {\"url\": \"https://github.com/canonical/lxd/pull/18585\", \"name\": \"Security fixes from the 6.9 release\", \"tags\": [\"patch\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest\u0027s custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization bypass through User-Controlled key\"}, {\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"shortName\": \"canonical\", \"dateUpdated\": \"2026-06-26T15:27:55.111Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-12411\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T16:02:55.284Z\", \"dateReserved\": \"2026-06-16T15:07:27.771Z\", \"assignerOrgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"datePublished\": \"2026-06-26T15:27:55.111Z\", \"assignerShortName\": \"canonical\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…