This vulnerability (CVE-2026-12411) in Canonical LXD arises from broken access control in the devLXDInstancePatchHandler component. An untrusted guest can exploit this flaw by sending a crafted device PATCH request over /dev/lxd to mount, read, and overwrite another guest's custom storage volume. The issue occurs only when the security.devlxd.management.volumes setting is enabled. The CVSS 3.1 score is 8.4, indicating high severity, with attack vector local, low attack complexity, low privileges required, no user interaction, scope changed, and high impact on confidentiality and integrity but no impact on availability. The affected versions are exactly 6.6 and all versions from 6.6 up to but excluding 6.9. No official patch or remediation level has been published yet, and no known exploits are reported in the wild.

Successful exploitation allows an untrusted guest to bypass authorization controls and gain unauthorized access to another guest's custom storage volume, including the ability to mount, read, and overwrite data. This compromises confidentiality and integrity of the affected storage volumes, potentially leading to data leakage or tampering. Availability is not impacted according to the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider disabling the security.devlxd.management.volumes setting if feasible to reduce exposure. Monitor official Canonical advisories for updates and apply patches promptly once available.