CVE-2026-9639
Publication date 26 June 2026
Last updated 29 June 2026
Ubuntu priority
Description
Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| lxd | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Notes
rodrigo-zaiden
LXD is being published as a snap since jammy. This CVE affects version >= 5.0.0, so it doesn't touch versions present in the archive.
Severity score breakdown
CVSS version: CVSS v3.0
Base score
6.5 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H