Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, protected_symlinks. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue.
AnalysisAI
Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.
Technical ContextAI
Incus (cpe:2.3:a:lxc:incus) is a system container and virtual machine manager providing an API for VM screenshot retrieval. The screenshot functionality relies on creating temporary files in /tmp with predictable paths, which QEMU uses to write screenshot data before the Incus service retrieves and transmits the file to the user. This design pattern is vulnerable to symlink-based attacks exploiting CWE-61 (Insecure Temporary File), a weakness where predictable temporary file locations allow attackers to pre-create symlinks to arbitrary targets. Most modern Linux kernels implement the protected_symlinks feature (sysctl kernel.protected_symlinks=1) which blocks such attacks by preventing unprivileged processes from following symlinks in sticky directories like /tmp that are owned by other users. However, on systems where this security feature has been explicitly disabled or unavailable, an attacker with local authentication can create malicious symlinks ahead of time, causing Incus to truncate, alter permissions, or modify arbitrary files when writing screenshots, leading to file system integrity compromise.
RemediationAI
Upgrade Incus to version 6.23.0 or later, which implements secure temporary file handling using non-predictable paths or proper O_TMPFILE semantics. Until patching can be completed, administrators should verify that kernel.protected_symlinks is enabled on all systems running Incus (check via 'sysctl kernel.protected_symlinks' - value should be 1) and disable the screenshot API functionality if it is not required in your environment. Additionally, restrict local system access to authenticated users who genuinely require Incus management capabilities, and monitor /tmp for suspicious symlink creation activity. Consult the vendor advisory at https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x for detailed upgrade procedures and verification steps.
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Privilege Escalation
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16462
GHSA-q9vp-3wcg-8p4x