CVE-2026-23954 in incus
Summary
by MITRE • 01/23/2026
Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/23/2026
The vulnerability identified as CVE-2026-23954 affects Incus, a system container and virtual machine manager that operates at the intersection of containerization and virtualization technologies. This security flaw exists within the templating functionality of Incus versions 6.21.0 and earlier, creating a critical path for privilege escalation and arbitrary code execution on host systems. The vulnerability specifically targets users who possess the capability to launch containers using custom images, such as members of the 'incus' group, thereby expanding the potential attack surface beyond just administrative users.
The technical implementation of this vulnerability stems from insufficient validation of file paths during the templating process within Incus's metadata.yaml handling. When processing container images that contain templating directives, the system fails to properly sanitize both source and target paths, allowing attackers to exploit symbolic links and directory traversal sequences. This weakness directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, and CWE-35, which addresses the use of symbolic links without proper validation. The absence of path validation creates a condition where an attacker can manipulate the templating engine to read arbitrary files from the host filesystem or write malicious content to arbitrary locations, bypassing normal access controls and containment mechanisms that typically protect containerized environments.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it fundamentally undermines the security model that containerization systems rely upon for isolation. An attacker exploiting this vulnerability can achieve complete host compromise through a series of chained operations starting with arbitrary file read capabilities, followed by arbitrary file write, and ultimately leading to command execution. This progression aligns with ATT&CK technique T1059, which covers command and scripting interpreter, and T1566, which addresses credential harvesting through social engineering or system exploitation. The vulnerability's exploitation potential is particularly concerning in multi-tenant environments or systems where untrusted users have access to container launch capabilities, as it allows for complete lateral movement and persistence within the host infrastructure.
The attack vector leverages the templating functionality present in Incus's metadata.yaml processing, where the system does not validate whether source or target paths contain symbolic links or directory traversal sequences. This validation gap creates opportunities for attackers to craft malicious metadata.yaml files that, when processed by Incus, execute the attacker's desired operations on the host system. The vulnerability affects not only standard Incus installations but also IncusOS, indicating a fundamental flaw in the core templating engine rather than a configuration-specific issue. Security researchers have noted that this vulnerability represents a critical failure in the principle of least privilege, as it allows users with relatively limited access to escalate to full host control. The fix for this vulnerability has been planned for versions 6.0.6 and 6.21.0, but as of publication, these patches have not yet been released, leaving affected systems in a vulnerable state. Organizations using Incus should immediately implement compensating controls such as restricting access to container launch capabilities, monitoring for suspicious file operations, and implementing strict file access controls to prevent exploitation of this critical vulnerability.