Unrated severityNVD Advisory· Published Jun 28, 2026

Debian lxd: Broken Access Control in the devLXDInstancePatchHandler component of Canonical L…

CVE-2026-12411

Description

Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.

Affected products

Canonical/Lxdllm-fuzzy

Patches

Vulnerability mechanics

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000