TL;DR
On a default Ubuntu Server install, the first user account is silently placed in the lxd group, and lxd-group membership is root-equivalent by design. From 24.04 onward LXD isn’t even pre-installed, yet the seeded lxd-installer socket (owned root:lxd, mode 0660) lets any lxd-group user install LXD password-free, launch a privileged container with the host filesystem mounted, and walk straight to root on the host, without the sudo password ever being entered. Every individual link is documented, intended behaviour; the weakness is the insecure default composition. We confirmed the full chain to euid=0 end-to-end on 20.04, 22.04, 24.04 and 26.04. The vendor reviewed it, settled on a won’t-fix (a deliberate business decision), and cleared this research for publication.