x/vulndb: potential Go vuln in lxd: GHSA-3g2j-vm47-x4mj #4121
Description
Advisory GHSA-3g2j-vm47-x4mj references a vulnerability in the following Go modules:
| Module |
|---|
| lxd |
Description:
Impact
This affects any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the security.shifted property set to true as well as access to the host as an unprivileged user.
The most common case for this would be systems using lxd-user with the less privileged lxd group to provide unprivileged users with an isolated restricted access to LXD. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid b...
References:
- ADVISORY: GHSA-3g2j-vm47-x4mj
- ADVISORY: GHSA-3g2j-vm47-x4mj
- FIX: Tighten storage pool permissions (from Incus) canonical/lxd#16904
- FIX: Tighten storage pool permissions (from Incus) (stable-5.21) canonical/lxd#16922
- FIX: Tighten storage pool permissions (from Incus) (stable-5.0) canonical/lxd#16923
- FIX: Tighten storage pool permissions (from Incus) (stable-4.0) canonical/lxd#16924
- REPORT: Local privilege escalation: a local unprivileged user in a restricted project may obtain host root privileges under certain conditions. lxc/incus#2641
- WEB: GHSA-56mx-8g9f-5crf
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: lxd
summary: LXD vulnerable to a local privilege escalation through custom storage volumes in lxd
ghsas:
- GHSA-3g2j-vm47-x4mj
references:
- advisory: https://github.com/advisories/GHSA-3g2j-vm47-x4mj
- advisory: https://github.com/canonical/lxd/security/advisories/GHSA-3g2j-vm47-x4mj
- fix: https://github.com/canonical/lxd/pull/16904
- fix: https://github.com/canonical/lxd/pull/16922
- fix: https://github.com/canonical/lxd/pull/16923
- fix: https://github.com/canonical/lxd/pull/16924
- report: https://github.com/lxc/incus/issues/2641
- web: https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf
notes:
- fix: 'lxd: could not add vulnerable_at: module lxd not known to proxy'
source:
id: GHSA-3g2j-vm47-x4mj
created: 2025-11-14T00:01:04.84276918Z
review_status: UNREVIEWED