FKIE_CVE-2026-23954

Vulnerability from fkie_nvd - Published: 2026-01-22 22:16 - Updated: 2026-01-30 17:28
Severity ?
8.7 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.
References
security-advisories@github.comhttps://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215Product
security-advisories@github.comhttps://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294Product
security-advisories@github.comhttps://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7Exploit, Vendor Advisory
security-advisories@github.comhttps://github.com/user-attachments/files/24473599/template_arbitrary_write.shExploit
security-advisories@github.comhttps://github.com/user-attachments/files/24473601/templates_arbitrary_write.patchPatch
Impacted products
Vendor Product Version
linuxcontainers incus *
linuxcontainers incus *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0DF87DBE-86FF-4E74-8086-AE3360A94C71",
              "versionEndIncluding": "6.0.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47AA575C-385C-4C34-8CC0-F370EC4ED7B4",
              "versionEndExcluding": "6.21.0",
              "versionStartIncluding": "6.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the \u2018incus\u2019 group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication."
    },
    {
      "lang": "es",
      "value": "Incus es un gestor de contenedores de sistema y m\u00e1quinas virtuales. Las versiones 6.21.0 e inferiores permiten a un usuario con la capacidad de lanzar un contenedor con una imagen personalizada (por ejemplo, un miembro del grupo \u0027incus\u0027) utilizar salto de directorio o enlaces simb\u00f3licos en la funcionalidad de plantillas para lograr la lectura arbitraria de archivos del host y la escritura arbitraria de archivos del host. Esto finalmente resulta en la ejecuci\u00f3n arbitraria de comandos en el host. Al usar una imagen con un metadata.yaml que contiene plantillas, ni las rutas de origen ni las de destino se verifican en busca de enlaces simb\u00f3licos o salto de directorio. Esto tambi\u00e9n puede ser explotado en IncusOS. Se planea una correcci\u00f3n para las versiones 6.0.6 y 6.21.0, pero no han sido lanzadas en el momento de la publicaci\u00f3n."
    }
  ],
  "id": "CVE-2026-23954",
  "lastModified": "2026-01-30T17:28:49.473",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-22T22:16:20.833",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.