LXD <=6.9 PrivEsc via Malicious Snapshot (Project Reverse Policy)
CVE-2026-9640 Published on June 26, 2026
LXD Snapshot Import Privilege Escalation Vulnerability
A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.
Vulnerability Analysis
CVE-2026-9640 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-9640. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-9640 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-9640
Want to know whenever a new CVE is published for Canonical Lxd? stack.watch will email you.
Affected Versions
Canonical LXD:- Version 5.21.0 and below 5.21.5 is affected.
- Version 5.0.0 and below 5.0.7 is affected.
- Version 6.0 and below 6.9 is affected.