Skip to main content

Incus CVE-2026-48751

CRITICAL
Missing Authorization (CWE-862)
2026-06-26 https://github.com/lxc/incus GHSA-48q5-w887-33wv
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable API with low-privilege project access (PR:L), low complexity; container-to-host escape changes scope (S:C) and yields root command execution, so C/I/A all High.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 26, 2026 - 19:20 vuln.today
Analysis Generated
Jun 26, 2026 - 19:20 vuln.today
CVE Published
Jun 26, 2026 - 18:33 github-advisory
CRITICAL 9.9

DescriptionGitHub Advisory

Summary

Instance snapshots ignore the restricted.containers.lowlevel=block setting; allowing for arbitrary command execution on the Incus server by abusing lowlevel hooks such as raw.lxc and raw.qemu.

Details

Instance snapshots ignore the restricted.containers.lowlevel=block setting; allowing for arbitrary command execution on the Incus server by abusing lowlevel hooks such as raw.lxc and raw.qemu.

As snapshots can be moved from one server to another, a malicious instance+snapshot can be crafted locally, moved to a restricted project and the snapshot restored for arbitrary command execution.

In practice, this allows a malicious actor to execute arbitrary commands on the host with root privileges.

PoC

# remote, restricted
incus project set rem:project restricted.true
incus project set rem:project restricted.containers.lowlevel=block
# locally, unrestricted project
incus init images:debian/trixie rce-raw-lxc
incus config set rce-raw-lxc raw.lxc='lxc.hook.pre-start = /bin/sh -c "/bin/id >/lxc-hook-prestart"'
incus snapshot create rce-raw-lxc snap0
#> allow transfer to restricted project
incus config unset rce-raw-lxc raw.lxc
# locally, transfer and trigger
incus move rce-raw-lxc rem: --mode push
incus snapshot restore rem:rce-raw-lxc snap0
incus start rem:rce-raw-lxc

Impact

  • Bypass of project restrictions.
  • Arbitrary command execution on the Incus server.

AnalysisAI

Privilege escalation and project-restriction bypass in Incus before 7.2.0 lets a low-privileged user with access to an unrestricted project craft an instance whose snapshot carries malicious low-level hooks (raw.lxc/raw.qemu), then move and restore it into a project protected by restricted.containers.lowlevel=block, executing arbitrary commands on the host as root. The snapshot-restore path fails to re-enforce the lowlevel restriction, so the security control is silently bypassed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Incus with low-privilege project access
Delivery
Create instance with malicious raw.lxc/raw.qemu hook in unrestricted project
Exploit
Snapshot instance then unset raw key
Install
Move instance into restricted lowlevel-block project
C2
Restore snapshot bypassing restriction check
Execute
Start instance triggering host hook
Impact
Arbitrary command execution as root on host

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Incus user (CVSS PR:L) with permission to create instances in at least one unrestricted/permissive project and to move/migrate instances into a target project configured with restricted=true and restricted.containers.lowlevel=block - that restricted configuration is precisely the control being bypassed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant who holds a normal Incus account creates an instance in an unrestricted project, sets raw.lxc to a pre-start hook running an arbitrary command, snapshots it, then unsets the key so the instance can transfer. They move the instance to a project hardened with restricted.containers.lowlevel=block, restore the malicious snapshot, and start it - the hook fires and executes their command on the host as root. …
Remediation Vendor-released patch: upgrade Incus to 7.2.0 or later, which re-enforces the lowlevel restriction across the snapshot restore/import path; this is the primary and recommended fix (see https://github.com/lxc/incus/security/advisories/GHSA-48q5-w887-33wv). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Inventory all Incus installations and identify systems running versions before 7.2.0 with exposure to non-administrator users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy