Skip to main content

Linux EUVDEUVD-2026-16462

| CVE-2026-33711 MEDIUM
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-03-26 GitHub_M GHSA-q9vp-3wcg-8p4x
4.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 23:01 euvd
EUVD-2026-16462
Analysis Generated
Mar 26, 2026 - 23:01 vuln.today
CVE Published
Mar 26, 2026 - 22:37 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, protected_symlinks. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue.

AnalysisAI

Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.

Technical ContextAI

Incus (cpe:2.3:a:lxc:incus) is a system container and virtual machine manager providing an API for VM screenshot retrieval. The screenshot functionality relies on creating temporary files in /tmp with predictable paths, which QEMU uses to write screenshot data before the Incus service retrieves and transmits the file to the user. This design pattern is vulnerable to symlink-based attacks exploiting CWE-61 (Insecure Temporary File), a weakness where predictable temporary file locations allow attackers to pre-create symlinks to arbitrary targets. Most modern Linux kernels implement the protected_symlinks feature (sysctl kernel.protected_symlinks=1) which blocks such attacks by preventing unprivileged processes from following symlinks in sticky directories like /tmp that are owned by other users. However, on systems where this security feature has been explicitly disabled or unavailable, an attacker with local authentication can create malicious symlinks ahead of time, causing Incus to truncate, alter permissions, or modify arbitrary files when writing screenshots, leading to file system integrity compromise.

RemediationAI

Upgrade Incus to version 6.23.0 or later, which implements secure temporary file handling using non-predictable paths or proper O_TMPFILE semantics. Until patching can be completed, administrators should verify that kernel.protected_symlinks is enabled on all systems running Incus (check via 'sysctl kernel.protected_symlinks' - value should be 1) and disable the screenshot API functionality if it is not required in your environment. Additionally, restrict local system access to authenticated users who genuinely require Incus management capabilities, and monitor /tmp for suspicious symlink creation activity. Consult the vendor advisory at https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x for detailed upgrade procedures and verification steps.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-16462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy