DEBIAN-CVE-2026-9639

Source
https://security-tracker.debian.org/tracker/CVE-2026-9639
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-9639.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-9639
Upstream
Published
2026-06-26T16:16:37.143Z
Modified
2026-07-12T04:00:17.413520280Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with cancreatestoragevolumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expiresat snapshot field.

References

Affected packages

Debian:12 / lxd

Package

Name
lxd
Purl
pkg:deb/debian/lxd?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.0.2-5
5.0.2-5+deb12u1
5.0.2-5+deb12u2
5.0.2-5+deb12u3
5.0.2-5+deb12u4
5.0.2-5+deb12u5
5.0.2-5+deb12u6
5.0.2-6
5.0.2+git20231211.1364ae4-1
5.0.2+git20231211.1364ae4-2
5.0.2+git20231211.1364ae4-3
5.0.2+git20231211.1364ae4-4
5.0.2+git20231211.1364ae4-5
5.0.2+git20231211.1364ae4-6
5.0.2+git20231211.1364ae4-7
5.0.2+git20231211.1364ae4-8
5.0.2+git20231211.1364ae4-9

Ecosystem specific

{
    "urgency": "end-of-life"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-9639.json"

Debian:13 / lxd

Package

Name
lxd
Purl
pkg:deb/debian/lxd?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.2+git20231211.1364ae4-9+deb13u7

Affected versions

5.*
5.0.2+git20231211.1364ae4-9
5.0.2+git20231211.1364ae4-9+deb13u1
5.0.2+git20231211.1364ae4-9+deb13u2
5.0.2+git20231211.1364ae4-9+deb13u3
5.0.2+git20231211.1364ae4-9+deb13u4
5.0.2+git20231211.1364ae4-9+deb13u5
5.0.2+git20231211.1364ae4-9+deb13u6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-9639.json"