Skip to main content

Red Hat CVE-2026-33945

| EUVDEUVD-2026-16492 CRITICAL
Path Traversal (CWE-22)
2026-03-26 GitHub_M
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
9.6 CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 23:31 euvd
EUVD-2026-16492
Analysis Generated
Mar 26, 2026 - 23:31 vuln.today
CVE Published
Mar 26, 2026 - 23:27 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like systemd.credential.../../../../../../root/.bashrc to cause Incus to write outside of the credentials directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is systemd.credential.XYZ where XYZ can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.

AnalysisAI

Path traversal in Incus system container manager allows authenticated remote attackers to write arbitrary files as root on the host via malformed systemd credential configuration keys. Affecting all versions before 6.23.0, this enables both privilege escalation from container to host and denial of service through critical file overwrites. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis. The CVSS 9.9 Critical rating reflects the severe impact of container escape, though the PR:L requirement and lack of active exploitation temper immediate urgency.

Technical ContextAI

Incus (a fork of LXC/LXD) implements systemd credential passing for containers through a shared directory mechanism. The vulnerability exploits insufficient path validation in the configuration key parser for systemd.credential.* settings. The implementation fails to sanitize path traversal sequences in the credential name portion, treating 'systemd.credential.../../../../../../root/.bashrc' as a valid credential identifier. This CWE-22 path traversal flaw bypasses directory confinement controls, allowing authenticated users with container configuration privileges to specify write targets outside the intended credentials directory. The affected component is cpe:2.3:a:lxc:incus before version 6.23.0. The attack leverages the fact that Incus parses everything after 'systemd.credential.' as a filename without normalizing or validating the path, creating a classic directory traversal condition where relative path components are preserved and processed by the underlying filesystem operations.

RemediationAI

Vendor-released patch: version 6.23.0 resolves this vulnerability through improved path validation in systemd credential configuration handling. Organizations should upgrade all Incus installations to version 6.23.0 or later immediately. The fix is implemented in commit f74199f9983e2ce78f2b78b6d765c6635b229c82 available at https://github.com/lxc/incus/commit/f74199f9983e2ce78f2b78b6d765c6635b229c82. Until patching is completed, administrators should implement compensating controls including restricting container configuration API access to only highly trusted administrators, auditing existing container configurations for systemd.credential settings containing path traversal sequences (../ patterns), implementing monitoring for unexpected file modifications in sensitive host directories, and considering disabling systemd credential passing features if not operationally required. Review access control policies to ensure the principle of least privilege for container management operations. Full remediation guidance is available in the GitHub Security Advisory at https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-33945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy