Description

An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.

INFO

Published Date :

2026-03-12T14:51:29.991Z

Last Modified :

2026-03-13T16:30:06.396Z

Source :

canonical
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28384 vulnerability.

Vendors Products
Canonical
  • Lxd
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28384.

URL Resource
https://discourse.ubuntu.com/t/lxd-authenticated-remote-code-execution-fixes-available/78365 cve-icon cve-icon
https://github.com/canonical/lxd/commit/043696a13171ace7dd4c2b32d34ce039ab629052 cve-icon cve-icon
https://github.com/canonical/lxd/commit/7046979645c2ce1b63b2f9e60ddf6cbc4c4b78f9 cve-icon cve-icon
https://github.com/canonical/lxd/commit/b7b411caf5c4971bfe2386c72128f44d7e2aaf4f cve-icon cve-icon
https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability