CRITICAL🇵🇱 Wersja polska

CVE-2026-33897

CVSS 9.9v3.1pub. 2026-03-26upd. 2026-03-30

Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instance lifecycle to template files inside of the instance. This particular implementation of pongo2 within Incus allowed for file read/write but with the expectation that the pongo2 chroot feature would isolate all such access to the instance's filesystem. This was allowed such that a template could theoretically read a file and then generate a new version of said file. Unfortunately the chroot isolation mechanism is entirely skipped by pongo2 leading to easy access to the entire system's filesystem with root privileges. Version 6.23.0 patches the issue.

🤖 AI Analysis
How it works

Incus allows the use of pongo2 templates within instances, which are processed at various stages of the instance lifecycle to generate files in its filesystem. The implementation assumed that the chroot function in pongo2 would restrict access only to the instance filesystem. In reality, the chroot isolation mechanism is completely bypassed by pongo2, resulting in unrestricted access to the entire host filesystem with root privileges. An attacker with the ability to control template files in the instance can easily exploit this vulnerability.

Impact

An attacker can read or overwrite arbitrary files on the host with root privileges, which in practice leads to complete takeover of the server hosting Incus instances — including privilege escalation, credential theft, and permanent compromise of the system.

Mitigation & patch

Incus should be updated to version 6.23.0, which contains a patch eliminating the vulnerability. If immediate update is not possible, restrict the ability to define pongo2 templates by unprivileged instance users.

Who is affected

Linuxcontainers Incus in all versions prior to 6.23.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Linuxcontainers Incus

    APP
    Linuxcontainers
    < 6.23.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-33945CRITICAL9.9PL ✓ten sam produkt

Path Traversal w Incus umożliwia zapis dowolnych plików jako root

CVE-2026-40197HIGH7.1ten sam produkt

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in...

CVE-2026-40251HIGH7.1ten sam produkt

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in...

CVE-2026-40195HIGH7.1ten sam produkt

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in...

CVE-2026-33898HIGH8.8ten sam produkt

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `i...