← Back to blog

LXD Container Platform Patches Critical Go Cryptography Flaws

Ubuntu released USN-8447-2 to address embedded Go Cryptography vulnerabilities in LXD that could enable SSH bypass attacks and denial-of-service conditions. Four CVEs affecting SSH key handling and FIDO/U2F verification require immediate patching.

TL;DR

  • LXD container platform receives patches for four Go Cryptography CVEs embedded in its codebase
  • SSH global request handling flaw (CVE-2026-39830) can trigger remote denial-of-service attacks
  • FIDO/U2F user presence verification bypass (CVE-2026-39833) undermines hardware security key protections
  • SSH agent key constraint serialization defect (CVE-2026-39834) allows attackers to circumvent intended key usage restrictions
  • Updates apply to Ubuntu 20.04 LTS through 26.04 LTS; prioritize deployment in container infrastructure

Canonical released security update USN-8447-2 to address multiple vulnerabilities in LXD's embedded Go Cryptography library. These flaws stem from upstream Go Cryptography issues and affect SSH protocol handling, hardware security key verification, and SSH agent key management across Ubuntu 20.04 LTS through 26.04 LTS.

The vulnerabilities expose container platforms to remote attacks ranging from denial-of-service conditions to authentication bypass scenarios. Organizations running LXD in production environments should prioritize patching to prevent exploitation of SSH-based access controls and hardware security key protections.

Vulnerability Summary

  • CVE-2026-39830: Improper SSH global request response handling enables remote denial-of-service attacks
  • CVE-2026-39833: FIDO/U2F user presence verification bypass undermines hardware security key authentication
  • CVE-2026-39834: SSH agent key constraint serialization defect allows bypass of intended key usage restrictions
  • CVE-2026-42508: Additional SSH constraint enforcement issue affecting confirm-before-use protections
  • All four CVEs originate from upstream Go Cryptography library and are now patched in LXD

Impact and Affected Systems

  • LXD container platforms using embedded Go Cryptography code are directly vulnerable
  • SSH-based access to containers and container management interfaces at risk
  • Hardware security key authentication can be bypassed on affected Ubuntu LTS versions
  • Key usage restrictions may be circumvented, allowing unauthorized SSH operations
  • Affects Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS, and 26.04 LTS distributions

Remediation Guidance

  • Apply USN-8447-2 updates immediately to all LXD installations
  • Verify SSH key constraints and FIDO/U2F configurations post-patching
  • Review SSH agent logs for suspicious key usage patterns prior to update
  • Test container access and SSH authentication workflows after deployment
  • Coordinate updates with container orchestration and infrastructure automation systems

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

LXD Container Platform Patches Critical Go Cryptography Flaws — Agent Breach Blog | Agent Breach