LXD 5.0.7 release notes¶
This is a LTS release and is recommended for production use.
Release notes content
These release notes cover updates in the core LXD repository and the LXD snap package.
This is a maintenance release for the 5.0 LTS series. It focuses on security hardening, stricter input validation, and bug fixes backported from the main development branch.
Highlights¶
This section highlights notable improvements in this release.
Security hardening¶
A number of inputs are now validated more strictly and some low-level options have been further restricted as part of security hardening backports:
Stricter image fingerprint validation, including computing and verifying the combined hash during image downloads.
Stricter validation of low-level VM options:
raw.apparmorandraw.qemu.confwere added to the list of forbidden low-level options.Improved validation when editing certificates.
Validation of struct slices and configuration during backup import.
Tightened the compression algorithm validation to only allow supported values.
Template rendering hardening¶
The instance template rendering logic was reworked to align with the standard RenderTemplate implementation. This introduces a recursion limit, blocks some pongo2 template functions, handles panics from the pongo2 package, and avoids leaking output from failed template execution.
Bug fixes¶
The following bug fixes are included in this release.
Project restriction bypass in instance copy across projects (CVE-2026-55622) Project restriction bypass for custom volume copy across projects (CVE-2026-55621) Restricted project bypass leading to arbitrary command execution (CVE-2026-48751) Arbitrary file write on host via exec-outputsymlink in crafted image (CVE-2026-48750)Arbitrary file read+write on host via templates/ symlink in malicious image (CVE-2026-48752) Arbitrary file read+write on host via rootfs/ symlink in malicious image (CVE-2026-48749) Argument injection in backup compression algorithm leading to AFW and ACE (CVE-2026-48755) Arbitrary file write on client due to trusted image hash (CVE-2026-48769) Backup snapshot import bypasses project restrictions (CVE-2026-9640) Do not persist changes in UpdateInstanceConfig during import Do not use backup config from disk in internalImportFromBackup Validate whether instance snapshot can be created in createFromBackup
Backwards-incompatible changes¶
These changes are not compatible with older versions of LXD or its clients.
Minimum system requirement changes¶
The minimum supported version of some components has changed:
The minimum required version of Go to build LXD is now 1.25.8 (see Updated minimum Go version).
Stricter validation and tightened permissions¶
Several inputs are now validated more strictly, and some low-level options have been further restricted as part of security hardening backports. Requests that previously succeeded with malformed or unexpected values may now be rejected:
Stricter image fingerprint validation.
Stricter checks for low-level (
raw.*) VM configuration options, includingraw.apparmorandraw.qemu.conf.Improved certificate edit validation.
Validation of struct slices and configuration during import.
The compression algorithm validation now only allows supported values.
Updated minimum Go version¶
If you are building LXD from source instead of using a package manager, the minimum version of Go required to build LXD is now 1.26.4 (previously 1.24.6).
Snap packaging changes¶
Transitioned the snap base from
core20tocore22.QEMU is now built from the Ubuntu source package (
8.2.2+ds-0ubuntu1.17) instead of upstream Git.Added an edk2/OVMF patch to disable the UEFI shell when Secure Boot is enabled.
Added the
apparmor.unprivileged-restrictions-disablesnap configuration option (defaulttrue).The
lxd-uibuild now uses Node.js 20 (previously 18).Refreshed the bundled Ceph stage libraries for
core22.libnvidia-container bumped to v1.19.1.
ZFS 2.2 bumped to 2.2.10.
Change log¶
Downloads¶
The source tarballs and binary clients can be found on our download page.
Binary packages are also available for:
Linux:
snap install lxd --channel=5.0/stableMacOS client:
brew install lxcWindows client:
choco install lxc