gce-compute-image-packages is vulnerable to arbitrary code execution. Using the membership to the “lxd” group, an attacker can attach host devices and filesystems, and to attach the host OS filesystem and modify /etc/sudoers to then gain administrative privileges.
lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html
lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html
cloud.google.com/support/bulletins/#gcp-2020-008
github.com/GoogleCloudPlatform/guest-oslogin/pull/29
gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020