Incus CVE-2026-48751
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable API with low-privilege project access (PR:L), low complexity; container-to-host escape changes scope (S:C) and yields root command execution, so C/I/A all High.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Instance snapshots ignore the restricted.containers.lowlevel=block setting; allowing for arbitrary command execution on the Incus server by abusing lowlevel hooks such as raw.lxc and raw.qemu.
Details
Instance snapshots ignore the restricted.containers.lowlevel=block setting; allowing for arbitrary command execution on the Incus server by abusing lowlevel hooks such as raw.lxc and raw.qemu.
As snapshots can be moved from one server to another, a malicious instance+snapshot can be crafted locally, moved to a restricted project and the snapshot restored for arbitrary command execution.
In practice, this allows a malicious actor to execute arbitrary commands on the host with root privileges.
PoC
# remote, restricted
incus project set rem:project restricted.true
incus project set rem:project restricted.containers.lowlevel=block
# locally, unrestricted project
incus init images:debian/trixie rce-raw-lxc
incus config set rce-raw-lxc raw.lxc='lxc.hook.pre-start = /bin/sh -c "/bin/id >/lxc-hook-prestart"'
incus snapshot create rce-raw-lxc snap0
#> allow transfer to restricted project
incus config unset rce-raw-lxc raw.lxc
# locally, transfer and trigger
incus move rce-raw-lxc rem: --mode push
incus snapshot restore rem:rce-raw-lxc snap0
incus start rem:rce-raw-lxcImpact
- Bypass of project restrictions.
- Arbitrary command execution on the Incus server.
AnalysisAI
Privilege escalation and project-restriction bypass in Incus before 7.2.0 lets a low-privileged user with access to an unrestricted project craft an instance whose snapshot carries malicious low-level hooks (raw.lxc/raw.qemu), then move and restore it into a project protected by restricted.containers.lowlevel=block, executing arbitrary commands on the host as root. The snapshot-restore path fails to re-enforce the lowlevel restriction, so the security control is silently bypassed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Incus user (CVSS PR:L) with permission to create instances in at least one unrestricted/permissive project and to move/migrate instances into a target project configured with restricted=true and restricted.containers.lowlevel=block - that restricted configuration is precisely the control being bypassed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant who holds a normal Incus account creates an instance in an unrestricted project, sets raw.lxc to a pre-start hook running an arbitrary command, snapshots it, then unsets the key so the instance can transfer. They move the instance to a project hardened with restricted.containers.lowlevel=block, restore the malicious snapshot, and start it - the hook fires and executes their command on the host as root. … |
| Remediation | Vendor-released patch: upgrade Incus to 7.2.0 or later, which re-enforces the lowlevel restriction across the snapshot restore/import path; this is the primary and recommended fix (see https://github.com/lxc/incus/security/advisories/GHSA-48q5-w887-33wv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Inventory all Incus installations and identify systems running versions before 7.2.0 with exposure to non-administrator users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-48q5-w887-33wv