CVE-2026-23954
📋 TL;DR
This vulnerability in Incus allows users with container launch privileges to exploit directory traversal or symbolic links in template functionality, leading to host file read/write and ultimately arbitrary command execution on the host system. It affects Incus versions 6.21.0 and below, including IncusOS. Users in the 'incus' group or with similar container management permissions are at risk.
💻 Affected Systems
- Incus
- IncusOS
📦 What is this software?
Incus by Linuxcontainers
Incus by Linuxcontainers
⚠️ Risk & Real-World Impact
Worst Case
Full host compromise with root-level arbitrary command execution, allowing complete system takeover, data exfiltration, and lateral movement.
Likely Case
Privileged container users gain host file system access, potentially reading sensitive files, writing malicious scripts, and executing commands with elevated privileges.
If Mitigated
Limited impact if strict access controls limit container creation to trusted administrators only.
🎯 Exploit Status
Proof-of-concept scripts are publicly available. Exploitation requires authenticated user with container creation privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Planned for 6.0.6 and 6.21.0 (not yet released)
Vendor Advisory: https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7
Restart Required: Yes
Instructions:
1. Monitor official Incus releases for patches 6.0.6 or 6.21.0. 2. Apply patch when available. 3. Restart Incus service. 4. Verify fix with version check.
🔧 Temporary Workarounds
Restrict Container Creation
linuxLimit container launch permissions to only essential, trusted administrators.
sudo usermod -G incus -a trusted_admin_user
sudo usermod -G incus -d malicious_user
Disable Custom Image Templates
linuxPrevent use of custom images with metadata.yaml templates in production.
incus config set images.remote_cache_expiry 0
incus config set images.auto_update_interval 0
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Incus hosts from critical systems.
- Enable comprehensive auditing and monitoring of container creation activities and file access patterns.
🔍 How to Verify
Check if Vulnerable:
Check Incus version: if version ≤ 6.21.0 and custom images with templates are allowed, system is vulnerable.Check Version:
incus --versionVerify Fix Applied:
After patching, verify version is > 6.21.0 or specifically 6.0.6/6.21.0 with fixes applied.📡 Detection & Monitoring
Log Indicators:
- Unusual container creation with custom images
- File access patterns outside container boundaries
- Template processing errors in Incus logs
Network Indicators:
- Unexpected outbound connections from Incus host following container creation
SIEM Query:
source="incus.log" AND ("metadata.yaml" OR "template" OR "symlink" OR "../")🔗 References
- https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215
- https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294
- https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7
- https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh
- https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch
