CVE-2026-23953
📋 TL;DR
This vulnerability allows users in the 'incus' group to inject newlines into container environment variables, enabling arbitrary command execution on the host system. Attackers can add malicious lifecycle hooks to container configurations, potentially gaining full control of the host. This affects Incus installations where users can launch containers with custom YAML configurations.
💻 Affected Systems
- Incus
📦 What is this software?
Incus by Linuxcontainers
Incus by Linuxcontainers
⚠️ Risk & Real-World Impact
Worst Case
Full host compromise with root-level command execution, allowing attackers to install persistent backdoors, exfiltrate data, or pivot to other systems.
Likely Case
Privilege escalation from container user to host root access, enabling container escape and host takeover.
If Mitigated
Limited to authorized 'incus' group members only, preventing external attackers from exploiting without initial access.
🎯 Exploit Status
Proof-of-concept scripts are publicly available. Exploitation requires 'incus' group membership but is straightforward once that access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.6 and 6.21.0 (planned but not released)
Vendor Advisory: https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32
Restart Required: Yes
Instructions:
1. Monitor for release of versions 6.0.6 or 6.21.0. 2. Update Incus to patched version when available. 3. Restart Incus service and affected containers.
🔧 Temporary Workarounds
Restrict incus group membership
linuxLimit 'incus' group membership to only trusted administrators who require container management capabilities.
sudo usermod -G incus username
Disable custom YAML configurations
linuxPrevent users from launching containers with custom YAML configurations if not required.
🧯 If You Can't Patch
- Remove non-essential users from the 'incus' group immediately
- Implement strict monitoring of container lifecycle hooks and configuration changes
🔍 How to Verify
Check if Vulnerable:
Check Incus version: incus --version. If version is 6.20.0 or below, system is vulnerable.Check Version:
incus --versionVerify Fix Applied:
After patching, verify version is 6.0.6 or 6.21.0 or higher. Test that newline injection in environment variables no longer adds configuration items.📡 Detection & Monitoring
Log Indicators:
- Unusual container lifecycle hooks being added
- Suspicious environment variables with newlines in container configurations
- Unexpected commands executed on host from container context
Network Indicators:
- Outbound connections from host initiated by container processes
- Unexpected network activity from host services
SIEM Query:
source="incus" AND (event="lifecycle_hook" OR event="config_change") AND (message="*\n*" OR message="*newline*")🔗 References
- https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081
- https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32
- https://github.com/user-attachments/files/24473682/environment_newline_injection.sh
- https://github.com/user-attachments/files/24473685/environment_newline_injection.patch
