Description
Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6
and 6.21.0, but they have not been released at the time of publication.
Published: 2026-01-22
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from newline injection in environment variable handling during container initialization. An attacker who can launch a container through a custom YAML configuration can embed newline characters in an environment variable value, causing the Incus engine to split the value into multiple configuration directives. This effectively allows the insertion of arbitrary lifecycle hooks into the container’s LXC configuration. The injected hooks can execute arbitrary code on the host, leading to full host control and representing a severe Local Privilege Escalation flaw. This weakness is identified as CWE‑93.

Affected Systems

The flaw exists in Incus version 6.20.0 and earlier. Users who belong to the incus group or have permission to create containers with custom YAML files can trigger the injection. The planned fix is slated for releases 6.0.6 and 6.21.0, which have not yet been made publicly available.

Risk and Exploitability

The CVSS base score is 8.7, indicating high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Since exploitation requires only local access to the Incus management interface and membership in the incus group, it does not depend on network exposure. An attacker can validate the payload by mounting /tmp from the host, a privileged operation reserved for validation steps. The attack surface is therefore limited to users with container creation permissions, and no known active exploitation has been reported.

Generated by OpenCVE AI on April 18, 2026 at 03:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a release newer than 6.21.0 that includes the official newline‑injection patch.
  • If upgrading is not possible, remove non‑privileged users from the incus group or restrict group membership to trusted administrators.
  • Disable or sanitize custom YAML configuration that allows environment variables containing newlines, for example by enforcing a policy that rejects such values or limiting the use of environment variables to single‑line values.
  • As an interim workaround, apply the community patch available at https://github.com/user-attachments/files/24473685/environment_newline_injection.patch and subsequently exclude impacted containers from host filesystem mounts like /tmp.

Generated by OpenCVE AI on April 18, 2026 at 03:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6109-1 incus security update
Debian DSA Debian DSA DSA-6153-1 lxd security update
Github GHSA Github GHSA GHSA-x6jc-phwx-hp32 Incus container environment configuration newline injection
History

Fri, 30 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxcontainers
Linuxcontainers incus
CPEs cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
Vendors & Products Linuxcontainers
Linuxcontainers incus

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.
Title Incus container environment configuration newline injection
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Linuxcontainers Incus
Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T21:00:46.311Z

Reserved: 2026-01-19T14:49:06.312Z

Link: CVE-2026-23953

cve-icon Vulnrichment

Updated: 2026-01-26T21:00:42.648Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:20.673

Modified: 2026-01-30T17:28:45.740

Link: CVE-2026-23953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses