CVE-2026-12411 - Vulnerability Details - OpenCVE

Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/canonical/lxd/pull/18585
https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp

History

Fri, 26 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
Title		Broken Access Control in Canonical LXD DevLXD API
Weaknesses		CWE-639 CWE-862
References		https://github.com/canonical/lxd/pull/18585 https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-06-26T15:27:55.111Z

Updated: 2026-06-26T16:02:55.284Z

Reserved: 2026-06-16T15:07:27.771Z

Link: CVE-2026-12411

Vulnrichment

Updated: 2026-06-26T16:02:51.096Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12411", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-06-16T15:07:27.771Z", "datePublished": "2026-06-26T15:27:55.111Z", "dateUpdated": "2026-06-26T16:02:55.284Z"}, "containers": {"cna": {"title": "Broken Access Control in Canonical LXD DevLXD API", "descriptions": [{"lang": "en", "value": "Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled."}], "affected": [{"vendor": "Canonical", "product": "lxd", "collectionURL": "https://github.com/canonical", "packageName": "lxd", "programFiles": ["permissions.go"], "platforms": ["Linux"], "repo": "https://github.com/canonical/lxd", "defaultStatus": "unaffected", "versions": [{"version": "6.6", "status": "affected", "versionType": "semver", "lessThan": "6.9"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization bypass through User-Controlled key", "cweId": "CWE-639", "type": "CWE"}, {"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp", "name": "Cross-guest volume hijack via DevLXD device patch", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/canonical/lxd/pull/18585", "name": "Security fixes from the 6.9 release", "tags": ["patch"]}], "impacts": [{"capecId": "CAPEC-77", "descriptions": [{"lang": "en", "value": "Manipulating User-Controlled Variables"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to LXD version 6.9 or later."}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-06-26T15:27:55.111Z"}}, "adp": [{"references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T16:02:35.514095Z", "id": "CVE-2026-12411", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T16:02:55.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12411", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-26T16:02:35.514095Z"}}}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T16:02:51.096Z"}}], "cna": {"title": "Broken Access Control in Canonical LXD DevLXD API", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-77", "descriptions": [{"lang": "en", "value": "Manipulating User-Controlled Variables"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/canonical/lxd", "vendor": "Canonical", "product": "lxd", "versions": [{"status": "affected", "version": "6.6", "lessThan": "6.9", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "lxd", "programFiles": ["permissions.go"], "collectionURL": "https://github.com/canonical", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to LXD version 6.9 or later."}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp", "name": "Cross-guest volume hijack via DevLXD device patch", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/canonical/lxd/pull/18585", "name": "Security fixes from the 6.9 release", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization bypass through User-Controlled key"}, {"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-06-26T15:27:55.111Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12411", "state": "PUBLISHED", "dateUpdated": "2026-06-26T16:02:55.284Z", "dateReserved": "2026-06-16T15:07:27.771Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-06-26T15:27:55.111Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}