GHSA-Q4Q8-7F2J-9H9F
Vulnerability from github – Published: 2026-03-27 17:22 – Updated: 2026-03-27 17:22Summary
Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. An attacker can use the name of a systemd credential to escape that directory and overwrite arbitrary files on the host system.
This can in turn be used to perform local privilege escalation or cause a DoS.
Details
An attacker can set a configuration key named something like systemd.credential.../../../../../../root/.bashrc to cause Incus to write outside of the credentials directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is systemd.credential.XYZ where XYZ can itself contain more periods.
While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks.
Credit
This issue was discovered and reported by the team at 7asecurity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lxc/incus/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33945"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T17:22:32Z",
"nvd_published_at": "2026-03-27T00:16:23Z",
"severity": "CRITICAL"
},
"details": "### Summary\nIncus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory.\nAn attacker can use the name of a systemd credential to escape that directory and overwrite arbitrary files on the host system.\n\nThis can in turn be used to perform local privilege escalation or cause a DoS.\n\n### Details\nAn attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods.\n\nWhile it\u0027s not possible to read any data this way, it\u0027s possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks.\n\n### Credit\nThis issue was discovered and reported by the team at [7asecurity](https://7asecurity.com/)",
"id": "GHSA-q4q8-7f2j-9h9f",
"modified": "2026-03-27T17:22:32Z",
"published": "2026-03-27T17:22:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33945"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/commit/f74199f9983e2ce78f2b78b6d765c6635b229c82"
},
{
"type": "PACKAGE",
"url": "https://github.com/lxc/incus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incus has an abitrary file write through its systemd-creds options"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.