Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-34178 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-34178 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-34178 is a security control bypass vulnerability in Canonical LXD, the Linux container and virtual machine manager, affecting versions prior to 6.8, where inconsistent file parsing during backup import allows project restrictions to be circumvented.

Technical Detail

The flaw arises from a TOCTOU-style logic inconsistency in LXD's backup import process: project restriction validation is performed against backup/index.yaml within the supplied tar archive, but the instance is actually created using backup/container/backup.yaml, a separate file that is not subject to the same validation checks. An attacker with access to the backup import functionality can craft a malicious tar archive where backup/index.yaml contains a benign, policy-compliant configuration while backup/container/backup.yaml specifies a configuration that violates project restrictions, effectively bypassing access controls. The practical impact is unauthorized instance creation outside of enforced project boundaries, which can lead to privilege escalation or tenant isolation breakout in multi-tenant LXD deployments.

Exploitation Status

No known exploit code has been identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning no public proof-of-concept or operational tooling has been confirmed as of April 16, 2026.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence sources.

What To Do

Upgrade Canonical LXD to version 6.8 or later immediately, as this release contains the fix that aligns validation logic to use the same file from which the instance is created. Organizations running LXD in multi-tenant or shared infrastructure environments should treat this as a high-priority patch given the CVSS score of 9.1 and the potential for tenant isolation bypass. As an interim workaround, restrict access to the backup import functionality to trusted administrators only and audit existing project restriction policies for any anomalous instance configurations. Monitor LXD logs for unexpected instance creation events, particularly those involving backup import operations from untrusted sources.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →