Overview
A critical vulnerability tracked as CVE-2026-34177 has been discovered in Canonical LXD, the open-source container and virtual machine manager. Affecting versions 4.12 through 6.7, the flaw stems from an incomplete denylist in the isVMLowLevelOptionForbidden function, which fails to block the raw.apparmor and raw.qemu.conf configuration keys under the restricted.virtual-machines.lowlevel=block project restriction. The vulnerability carries a CVSS score of 9.1 (Critical).
Vulnerability Details
| Field | Details |
|---|---|
| CVE ID | CVE-2026-34177 |
| CVSS Score | 9.1 (Critical) |
| Affected Versions | Canonical LXD 4.12 through 6.7 |
| Fixed Version | Canonical LXD 6.8+ |
| Affected File | lxd/project/limits/permissions.go — isVMLowLevelOptionForbidden |
| Attack Vector | Network (Remote) |
| Attack Complexity | Low |
Technical Analysis
LXD supports project-level restrictions that limit what configuration options users can apply to virtual machines. The restricted.virtual-machines.lowlevel=block restriction is intended to prevent users from setting low-level VM configuration options that could be used for privilege escalation or security bypass.
The function responsible for enforcing this restriction — isVMLowLevelOptionForbidden in lxd/project/limits/permissions.go — maintains a denylist of forbidden configuration keys. However, the denylist is incomplete: it omits two critical keys:
raw.apparmor— Allows arbitrary AppArmor profile rules to be injected into the VM's security profileraw.qemu.conf— Allows raw QEMU configuration directives to be passed directly to the QEMU hypervisor
Impact of missing entries:
A remote attacker (or a malicious tenant in a multi-tenant LXD deployment) can set these configuration options on a virtual machine even when the restricted.virtual-machines.lowlevel=block restriction is active. This can be leveraged to:
- Bypass AppArmor confinement by overriding or weakening the VM's AppArmor profile via
raw.apparmor - Inject arbitrary QEMU configuration via
raw.qemu.confto modify VM hardware simulation, potentially enabling escape from the VM sandbox
In a cloud or shared hosting context where LXD projects are used to isolate tenants, this flaw could allow one tenant to escape their VM isolation and potentially gain access to the host or other tenants' environments.
Affected Deployment Context
This vulnerability is most severe in:
- Multi-tenant LXD deployments (cloud providers, hosting platforms, managed services)
- Development environments where project restrictions are used to limit developer access
- CI/CD pipelines using LXD VMs for test isolation
Users running LXD as a single-user system with full administrative access are at lower risk but should still upgrade.
Remediation
Upgrade to Canonical LXD 6.8 or later, which corrects the isVMLowLevelOptionForbidden function to include raw.apparmor and raw.qemu.conf in the restricted key set.
Interim mitigations (if immediate upgrade is not possible):
- Avoid relying on
restricted.virtual-machines.lowlevel=blockas a security boundary until patched - Restrict project-level API access to trusted users only; do not expose LXD API endpoints to untrusted network principals
- Audit existing VMs for use of
raw.apparmororraw.qemu.confconfiguration keys to identify potential exploitation - Monitor AppArmor logs for unexpected profile modifications or denials associated with LXD-managed VMs
# Check for existing VMs using the affected raw keys
lxc config show <vm-name> | grep -E 'raw\.apparmor|raw\.qemu\.conf'Related Vulnerability
This CVE was disclosed alongside CVE-2026-34178, a separate LXD backup import path bypass also rated CVSS 9.1, which allows authenticated attackers to create instances bypassing project restriction checks. Both vulnerabilities were fixed in LXD 6.8.