CVE-2026-9640 | A privilege escalation vulnerability exists in LXD from 6.0 … | CVSS 7.2 HIGH

Description

A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.

Metadata

CVE ID: CVE-2026-9640
State: PUBLISHED
Assigner: canonical
Reserved: 2026-05-26 18:31 UTC
Published: 2026-06-26 15:50 UTC
Last updated: 2026-06-27 03:55 UTC
Primary CWE: CWE-863
CWE-863: Incorrect Authorization
Vendor / Product: Canonical / LXD
Sources: cve.org · NVD

Severity & Metrics

7.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Canonical	LXD	Linux	5.21.0 < 5.21.5, 5.0.0 < 5.0.7, 6.0 < 6.9

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863: Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (4)