CVE-2026-28384 is an OS command injection vulnerability classified under CWE-78, discovered in Canonical's LXD container management software. The root cause is improper neutralization of special characters in the compression_algorithm parameter when processing API requests to image and backup endpoints. This flaw allows an authenticated user with limited privileges to inject and execute arbitrary OS commands as the LXD daemon user on the server. Since the LXD daemon typically runs with elevated privileges to manage containers, exploitation can lead to significant system compromise, including unauthorized access, data manipulation, and control over containerized environments. The vulnerability affects LXD versions from 4.12 up to 6.6, excluding 4.0.10. Exploitation requires authentication but no additional user interaction, and the attack vector is network-based via API calls. The vulnerability was publicly disclosed on March 12, 2026, with a CVSS 4.0 base score of 9.4, reflecting its critical impact and ease of exploitation. Canonical has released patches in snap package channels 5.0/stable (version 5.0.6-e49d9f4), 5.21/stable (5.21.4-1374f39), and 6.0/stable (6.7-1f11451). No active exploitation has been reported to date, but the severity and nature of the flaw warrant immediate remediation.

The impact of CVE-2026-28384 is severe for organizations utilizing Canonical LXD for container management. Exploitation enables an authenticated but unprivileged user to execute arbitrary commands with the privileges of the LXD daemon, which often has elevated rights on the host system. This can lead to full system compromise, including unauthorized access to sensitive data, disruption of containerized services, and lateral movement within the network. The vulnerability undermines the confidentiality, integrity, and availability of affected systems. Given the widespread adoption of LXD in cloud, enterprise, and development environments, the potential for significant operational disruption and data breaches is high. Attackers could leverage this flaw to deploy malware, exfiltrate data, or disrupt critical infrastructure. The lack of required user interaction and network-based attack vector increase the risk of rapid exploitation once the vulnerability is known.

To mitigate CVE-2026-28384, organizations should immediately upgrade affected LXD installations to the patched versions provided by Canonical in the snap channels 5.0/stable (5.0.6-e49d9f4), 5.21/stable (5.21.4-1374f39), or 6.0/stable (6.7-1f11451). If upgrading is not immediately feasible, restrict access to the LXD API endpoints to trusted and authenticated users only, employing network segmentation and firewall rules to limit exposure. Implement strict authentication and authorization controls to minimize the number of users with access to LXD APIs. Monitor logs for unusual API activity, especially calls involving image and backup endpoints with suspicious compression_algorithm parameters. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect anomalous command execution patterns. Regularly audit container management environments for compliance with security best practices and ensure that principle of least privilege is enforced for all users and services interacting with LXD. Finally, maintain an incident response plan to quickly address any suspected exploitation.