Runc exploit does it affect LXD?

Short answer is “No” but lets got into more details.

This security issue only affects privileged containers, if you’re only running unprivileged containers (the default for LXD), then you’re perfectly safe.

If you are running privileged containers and are using the LXD snap, you are perfectly safe due to the binary being on a read-only filesystem (the snap squashfs).

If you are running privileged containers and are using an installation of LXD other than the snap, then you are still not likely affected, so long as LXD itself is running. That’s because the Linux kernel will prevent modifications of any executable that’s currently running.

In that last case, it is possible for a privileged container to attack your LXD binary during a restart of LXD, in which case some version of the attack described in that CVE may succeed.

It is worth noting that we DO NOT consider privileged containers to be root safe, that is, you must be fine with any process running as root in a privileged container potentially gaining root access to your host. If you’re not fine with that risk, don’t run privileged containers.

This is covered in our long standing security policy:

Per that policy, we do our best effort to make privileged containers as isolated as possible (not safe) and so did implement a fix for this particular issue, the fix may be found here and applies to liblxc: