Canonical LXD is affected by a broken access control vulnerability that permits untrusted guests to read or overwrite the storage volumes of other instances.

The flaw exists in the devLXDInstancePatchHandler component, which improperly validates device PATCH requests. An untrusted guest can exploit this to mount and manipulate custom storage volumes belonging to other guests, effectively breaking the isolation boundaries of the LXD container environment.

The CVSS score of 8.4 highlights the severity of this privilege escalation and cross-container compromise. This vulnerability allows for significant data exposure and integrity loss, as an attacker could potentially modify or steal sensitive data across container boundaries, threatening the entire multi-tenant infrastructure.

Immediate Action: Apply all security patches released by Canonical for the LXD package immediately.

Proactive Monitoring: Review LXD audit logs for suspicious or unauthorized device PATCH requests or unexpected volume mounting activities.

Compensating Controls: Where possible, isolate highly sensitive workloads on separate physical hosts to provide an additional layer of security beyond container isolation.

Public Exploit Available: False

Given the potential for cross-container data access, this vulnerability must be treated with high urgency in multi-tenant or shared-hosting environments. Administrators should audit their LXD configurations and apply the necessary patches as soon as they become available.