Description
Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.
Published: 2026-03-26
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to write to arbitrary files within the host filesystem by crafting a specially named credential configuration key. Because the key can include directory traversal sequences, Incus writes the specified data outside the intended credentials directory, allowing the writing of any file as the root user. This results in full privilege escalation and can also be used to cause denial of service by corrupting critical host files. The weakness corresponds to CWE‑22, an absolute path traversal flaw.

Affected Systems

The flaw affects instances of the Incus container and VM manager produced by the lxc:incus vendor. Any installation of Incus prior to version 6.23.0 is vulnerable. Versions 6.23.0 and newer contain a fix that sanitizes credential keys.

Risk and Exploitability

The CVSS score is 10, indicating the highest possible severity. Although an official EPSS score is not yet available, the absence of any mitigation in the strategy suggests that exploitation is straightforward for a local attacker who can influence container configuration. The vulnerability is not listed in the CISA KEV catalog, but its potential for root access and the lack of traffic shaping make it a high‑priority target. The attack vector is inferred to be local or network‑bound to the Incus management interface, depending on the host configuration.

Generated by OpenCVE AI on March 27, 2026 at 06:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Incus to version 6.23.0 or later.
  • Verify that all credential configuration keys contain only valid names without any traversal patterns.
  • Audit current Incus deployments for any legacy credential keys that might expose traversal sequences.
  • If upgrade is not immediately possible, review and restrict the ability to modify container configuration to trusted personnel only.

Generated by OpenCVE AI on March 27, 2026 at 06:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.
Title Abitrary file write through systemd-creds option
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T23:27:45.711Z

Reserved: 2026-03-24T19:50:52.105Z

Link: CVE-2026-33945

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T00:16:23.633

Modified: 2026-03-27T00:16:23.633

Link: CVE-2026-33945

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-26T23:27:45Z

Links: CVE-2026-33945 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:47Z

Weaknesses