Description
Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue.
Published: 2026-03-26
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch
AI Analysis

Impact

Incus, a system container and virtual machine manager, allows retrieval of VM screenshots via an API that writes to a temporary file in /tmp. Versions before 6.23.0 generate predictable paths for this temporary file, permitting an attacker with local access to create a pre‑existing symbolic link at that path. When protected_symlinks is disabled, Incus truncates the target file and alters its mode and permissions, effectively overwriting arbitrary files. This can lead to denial of service or local privilege escalation. The vulnerability is a classic path traversal and insecure temporary file issue, classified as CWE‑61.

Affected Systems

The affected product is Incus from the LXC project. All releases prior to 6.23.0 are vulnerable. The problem arises on Linux systems where the Incus API writes screenshots to predictable /tmp paths and the kernel’s protected_symlinks feature is disabled.

Risk and Exploitability

The CVSS score is 4.7, indicating low to moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Attackers require local system access and the ability to create symlinks in /tmp. On systems with the default (enabled) protected_symlinks setting, the risk is mitigated, but on rare distributions where the feature is purposely disabled, local users can leverage the path to erase and overwrite arbitrary files, potentially gaining elevated privileges or causing a denial of service.

Generated by OpenCVE AI on March 27, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Incus to version 6.23.0 or later to remove the vulnerable screenshot handling logic.
  • Verify that the kernel’s protected_symlinks feature is enabled (fs.protected_symlinks=1); enabling it prevents the attack path that modifies arbitrary files.
  • If an upgrade is not immediately possible, restrict write permissions for unprivileged users to the /tmp directory or remove the directory as a temporary protection measure.

Generated by OpenCVE AI on March 27, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue.
Title Incus vulnerable to local privilege escalation through VM screenshot path
Weaknesses CWE-61
References
Metrics cvssV4_0

{'score': 4.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T22:37:29.746Z

Reserved: 2026-03-23T17:06:05.747Z

Link: CVE-2026-33711

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T23:16:20.423

Modified: 2026-03-26T23:16:20.423

Link: CVE-2026-33711

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T22:37:29Z

Links: CVE-2026-33711 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:54Z

Weaknesses