Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1822+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-34178: Canonical LXD Backup Import Path
CVE-2026-34178: Canonical LXD Backup Import Path

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-34178

CVE-2026-34178: Canonical LXD Backup Import Path

A critical CVSS 9.1 vulnerability in Canonical LXD before 6.8 allows authenticated attackers to bypass project restrictions during backup import. The...

Dylan H.

Security Team

April 10, 2026
4 min read

Affected Products

  • Canonical LXD before 6.8

Overview

A critical vulnerability tracked as CVE-2026-34178 affects Canonical LXD before version 6.8. During backup import operations, LXD validates project restrictions against backup/index.yaml inside the supplied tar archive, but then creates the instance using backup/container/backup.yaml — a separate file within the same archive that is never checked against project restrictions. An authenticated attacker can exploit this discrepancy to create instances that violate project restriction policies. The vulnerability carries a CVSS score of 9.1 (Critical).

Vulnerability Details

FieldDetails
CVE IDCVE-2026-34178
CVSS Score9.1 (Critical)
Affected VersionsCanonical LXD before 6.8
Fixed VersionCanonical LXD 6.8
Attack VectorNetwork (Authenticated)
Attack ComplexityLow
Privileges RequiredLow (authenticated user)

Technical Analysis

LXD supports importing instance backups from tar archives. This import process is designed to enforce project-level restrictions — ensuring that an imported instance adheres to the same resource and configuration limits as any other instance in the project.

The vulnerability exploits a path confusion / split-brain validation flaw:

  1. Validation step: LXD reads and validates project restrictions against backup/index.yaml inside the uploaded tar archive
  2. Creation step: LXD creates the actual instance using backup/container/backup.yaml — a different file in the same archive

Since these are two separate files, an attacker can craft a malicious tar archive where:

  • backup/index.yaml contains a benign, restriction-compliant configuration (passes validation)
  • backup/container/backup.yaml contains a malicious configuration that violates project restrictions (never checked)

Exploit scenario:

malicious_backup.tar
├── backup/
│   ├── index.yaml          ← Checked against project restrictions (passes)
│   └── container/
│       └── backup.yaml     ← Used to CREATE instance (NEVER checked)

An authenticated attacker with backup import privileges can construct such an archive and import it, causing LXD to create an instance with configuration that the project restrictions would normally forbid — such as excessive CPU/memory limits, privileged containers, host device mappings, or restricted network configurations.

Impact

In multi-tenant or restricted-access LXD environments, project restrictions are the primary mechanism for enforcing resource and security policies between users. Bypassing these restrictions allows:

  • Resource limit evasion: Creating instances with more CPU, RAM, or storage than permitted
  • Privileged container creation: Creating privileged containers that can access the host filesystem
  • Unauthorized device access: Mapping host devices (GPU, disks, USB) not permitted by project policy
  • Security policy bypass: Setting configuration options that are explicitly blocked by project administrators

This is especially impactful on cloud platforms, shared LXD clusters, and LXD-based PaaS offerings where project isolation is a core security guarantee.

Relationship to CVE-2026-34177

This vulnerability was disclosed alongside CVE-2026-34177, which describes an incomplete denylist in LXD's isVMLowLevelOptionForbidden function (also CVSS 9.1). Both vulnerabilities affect LXD's project restriction enforcement mechanism and were fixed together in LXD 6.8.

Organizations should treat both CVEs as part of the same remediation effort and upgrade to 6.8 promptly.

Remediation

Upgrade to Canonical LXD 6.8 or later. This version corrects the backup import logic to validate project restrictions against backup/container/backup.yaml (the file actually used for instance creation) rather than solely relying on backup/index.yaml.

Interim mitigations:

  • Restrict backup import permissions — remove backup import capabilities from untrusted or low-privilege users via project configuration
  • Audit recent backup imports — review any backup imports performed since LXD 4.12 (or earlier) for configuration anomalies
  • Monitor project resource usage — watch for instances exceeding their expected resource allocations, which may indicate exploitation
# Check who has performed recent backup imports
lxc monitor --type operation | grep -i backup
 
# Verify project restrictions are correctly applied
lxc project show <project-name> | grep -A 50 config

Upgrade Path

# Upgrade LXD via snap (standard installation)
sudo snap refresh lxd --channel=latest/stable
 
# Verify version
lxd --version

References

  • NVD - CVE-2026-34178
  • Canonical LXD GitHub

Related Reading

  • CVE-2026-34177: Canonical LXD Incomplete VM Restriction
  • CVE-2026-22172: OpenClaw Critical Authorization Bypass via
  • CVE-2026-29646: OpenXiangShan NEMU RISC-V Hypervisor
#CVE#LXD#Canonical#Privilege Escalation#Container Security#Vulnerability

Related Articles

CVE-2026-34177: Canonical LXD Incomplete VM Restriction

A critical CVSS 9.1 flaw in Canonical LXD versions 4.12 through 6.7 omits raw.apparmor and raw.qemu.conf from the VM low-level option denylist, allowing...

3 min read

CVE-2022-0492: Linux Kernel Improper Authentication Vulnerability

A Linux kernel vulnerability in the cgroups v1 release_agent feature allows local attackers to escalate privileges and escape containers. Added to CISA KEV…

3 min read

CVE-2026-47369: UniFi OS Privilege Escalation via Improper Input Validation

A critical CVSS 9.9 privilege escalation vulnerability in Ubiquiti UniFi OS allows a low-privileged network attacker to escalate privileges within UniFi...

5 min read
Back to all Security Alerts