DEBIAN-CVE-2025-54288

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.

References

https://security-tracker.debian.org/tracker/CVE-2025-54288

Affected packages

Debian:13 / incus

Package

Name: incus
Purl: pkg:deb/debian/incus?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.4-2+deb13u1

Affected versions

6.*

6.0.4-2

6.0.4-2+deb13u1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / incus

Package

Name: incus
Purl: pkg:deb/debian/incus?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.5-1

Affected versions

6.*

6.0.4-2

6.0.4-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / lxd

Package

Name: lxd
Purl: pkg:deb/debian/lxd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.2-5+deb12u1

Affected versions

5.*

5.0.2-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / lxd

Package

Name: lxd
Purl: pkg:deb/debian/lxd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.2+git20231211.1364ae4-9+deb13u1

Affected versions

5.*

5.0.2+git20231211.1364ae4-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}