CVE-2026-33945

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-33945
Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.

9.9 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
History

01 Apr 2026, 16:08

Type Values Removed Values Added
CPE cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
References () https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f - () https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f - Vendor Advisory
First Time Linuxcontainers
Linuxcontainers incus

30 Mar 2026, 13:26

Type Values Removed Values Added
Summary
  • (es) Incus es un gestor de contenedores de sistema y de máquinas virtuales. Las instancias de Incus tienen una opción para proporcionar credenciales a systemd en el invitado. Para los contenedores, esto se gestiona a través de un directorio compartido. Antes de la versión 6.23.0, un atacante puede establecer una clave de configuración con un nombre similar a systemd.credential.../../../../../../root/.bashrc para hacer que Incus escriba fuera del directorio 'credentials' asociado con el contenedor. Esto aprovecha el hecho de que la sintaxis de Incus para dichas credenciales es systemd.credential.XYZ, donde XYZ puede contener más puntos. Si bien no es posible leer ningún dato de esta manera, es posible escribir en archivos arbitrarios como root, lo que permite tanto la escalada de privilegios como los ataques de denegación de servicio. La versión 6.23.0 corrige el problema.

27 Mar 2026, 00:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-27 00:16

Updated : 2026-04-01 16:08

NVD link : CVE-2026-33945

Mitre link : CVE-2026-33945

CVE.ORG link : CVE-2026-33945

JSON object : View

Products Affected

linuxcontainers

  • incus
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')