Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-34177

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 5 days, 9 hours ago

VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf

Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.

References

VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf vdb-entryvendor-advisory
lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked patchissue-tracking
https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f exploit

Affected products

lxd

<5.0.7
<5.21.5
<6.8.0

Matching in nixpkgs

pkgs.lxd-ui

Web user interface for LXD

pkgs.lxd-lts

Daemon based on liblxc offering a REST API to manage containers

pkgs.lxd-image-server

Creates and manages a simplestreams lxd image server on top of nginx

nixos-unstable 0.0.4
- nixpkgs-unstable 0.0.4
- nixos-unstable-small 0.0.4
nixos-25.11 0.0.4
- nixos-25.11-small 0.0.4
- nixpkgs-25.11-darwin 0.0.4

pkgs.lxd-unwrapped-lts

Daemon based on liblxc offering a REST API to manage containers

pkgs.python312Packages.pylxd

Library for interacting with the LXD REST API

nixos-25.11 2.3.2
- nixos-25.11-small 2.3.2
- nixpkgs-25.11-darwin 2.3.2

pkgs.python313Packages.pylxd

Library for interacting with the LXD REST API

nixos-unstable 2.3.7
- nixpkgs-unstable 2.3.7
- nixos-unstable-small 2.3.7
nixos-25.11 2.3.2
- nixos-25.11-small 2.3.2
- nixpkgs-25.11-darwin 2.3.2

pkgs.python314Packages.pylxd

Library for interacting with the LXD REST API

nixos-unstable 2.3.7
- nixpkgs-unstable 2.3.7
- nixos-unstable-small 2.3.7

pkgs.terraform-providers.lxd

None

nixos-unstable 2.7.0
- nixpkgs-unstable 2.7.0
- nixos-unstable-small 2.7.0
nixos-25.11 2.6.0
- nixos-25.11-small 2.6.0
- nixpkgs-25.11-darwin 2.6.0

pkgs.terraform-providers.terraform-lxd_lxd

None

nixos-unstable 2.7.0
- nixpkgs-unstable 2.7.0
- nixos-unstable-small 2.7.0
nixos-25.11 2.6.0
- nixos-25.11-small 2.6.0
- nixpkgs-25.11-darwin 2.6.0

Package maintainers

@mkg20001 Maciej Krüger <mkg20001+nix@gmail.com>