CRITICAL🇵🇱 Wersja polska

CVE-2026-33945

CVSS 9.9v3.1pub. 2026-03-27upd. 2026-04-01

Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.

🤖 AI Analysis
How it works

Incus allows passing credentials to systemd in the guest system through a shared directory. Credential configuration keys have the format `systemd.credential.XYZ`, where the `XYZ` part can contain dots and forward slashes. Before version 6.23.0, the lack of validation of this key name part allowed an attacker to provide a value containing a path traversal sequence, e.g. `systemd.credential.../../../../../../root/.bashrc`, resulting in Incus writing the file outside the intended `credentials` directory. Writing is performed with root privileges, however reading data via this method is not possible.

Impact

An attacker with access to instance configuration can overwrite or create arbitrary files on the host with root privileges, leading to privilege escalation or system destabilization (denial of service).

Mitigation & patch

Incus should be updated to version 6.23.0, which introduces proper validation of credential key names and eliminates the possibility of path traversal.

Who is affected

Linuxcontainers Incus in versions earlier than 6.23.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Linuxcontainers Incus

    APP
    Linuxcontainers
    < 6.23.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalLPEDoSContainer
CWE
References

Related vulnerabilities

CVE-2026-33897CRITICAL9.9PL ✓ten sam produkt

Incus: odczyt/zapis dowolnych plików jako root przez szablony pongo2

CVE-2026-40197HIGH7.1ten sam produkt

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in...

CVE-2026-40195HIGH7.1ten sam produkt

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in...

CVE-2026-40251HIGH7.1ten sam produkt

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in...

CVE-2026-33898HIGH8.8ten sam produkt

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `i...