CVE-2026-9639 - Vulnerability Details - OpenCVE

Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/canonical/lxd/pull/18320
https://github.com/canonical/lxd/pull/18390
https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8

History

Fri, 26 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
Title		Authenticated Denial of Service via Malicious Backup Tarball in LXD
Weaknesses		CWE-476
References		https://github.com/canonical/lxd/pull/18320 https://github.com/canonical/lxd/pull/18390 https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-06-26T15:39:04.696Z

Updated: 2026-06-26T16:02:11.520Z

Reserved: 2026-05-26T18:31:05.985Z

Link: CVE-2026-9639

Vulnrichment

Updated: 2026-06-26T16:02:07.362Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9639", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-05-26T18:31:05.985Z", "datePublished": "2026-06-26T15:39:04.696Z", "dateUpdated": "2026-06-26T16:02:11.520Z"}, "containers": {"cna": {"title": "Authenticated Denial of Service via Malicious Backup Tarball in LXD", "descriptions": [{"lang": "en", "value": "Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field."}], "affected": [{"vendor": "Canonical", "product": "LXD", "packageName": "LXD", "platforms": ["Linux"], "repo": "https://github.com/canonical/lxd", "defaultStatus": "unaffected", "versions": [{"version": "5.21.0", "status": "affected", "versionType": "semver", "lessThan": "5.21.5"}, {"version": "6.0", "status": "affected", "versionType": "semver", "lessThan": "6.9"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-476 NULL pointer dereference", "cweId": "CWE-476", "type": "CWE"}]}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/canonical/lxd/pull/18320", "tags": ["patch"]}, {"url": "https://github.com/canonical/lxd/pull/18390", "tags": ["patch"]}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "source": {"discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Upgrade to LXD version 5.21.5 or later, or 6.9 or later."}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-06-26T15:39:04.696Z"}}, "adp": [{"references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T16:01:50.334142Z", "id": "CVE-2026-9639", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T16:02:11.520Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-9639", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-26T16:01:50.334142Z"}}}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T16:02:07.362Z"}}], "cna": {"title": "Authenticated Denial of Service via Malicious Backup Tarball in LXD", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/canonical/lxd", "vendor": "Canonical", "product": "LXD", "versions": [{"status": "affected", "version": "5.21.0", "lessThan": "5.21.5", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.9", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "LXD", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to LXD version 5.21.5 or later, or 6.9 or later."}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/canonical/lxd/pull/18320", "tags": ["patch"]}, {"url": "https://github.com/canonical/lxd/pull/18390", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL pointer dereference"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-06-26T15:39:04.696Z"}}}, "cveMetadata": {"cveId": "CVE-2026-9639", "state": "PUBLISHED", "dateUpdated": "2026-06-26T16:02:11.520Z", "dateReserved": "2026-05-26T18:31:05.985Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-06-26T15:39:04.696Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}