Description
Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.
Published: 2026-03-26
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary root file write
Action: Patch Now
AI Analysis

Impact

Incus, a system container and virtual machine manager, contains a configuration flaw that allows an attacker to supply a specially crafted credential key such as systemd.credential.XYZ to write outside the allowed credentials directory. By steering the key name to contain path-traversal fragments, the software opens the opportunity to write arbitrary files as root, leading to privilege escalation or denial of service. The vulnerability is a directory traversal/file write problem classified as CWE-22.

Affected Systems

Affected systems are deployments using the Linux Containers Incus container manager from the LXC project. Versions older than 6.23.0 are impacted; this includes all releases where the systemd credential syntax has been implemented without proper sanitization, such as 6.22.x and earlier. Any container or VM running under those versions is vulnerable if credentials are exposed.

Risk and Exploitability

This issue has a CVSS score of 10 and an EPSS score of less than 1%, indicating a high severity but a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves the attacker having the ability to set or modify configuration for a container or virtual machine, for example via the Incus API or control interface, in order to inject a malicious credential key that traverses directories and writes to arbitrary files as root. No complete remote exploit path is disclosed, but the flaw provides local root-escapable write capabilities.

Generated by OpenCVE AI on April 2, 2026 at 04:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Incus to version 6.23.0 or later, where the directory traversal check is fixed.
  • If an upgrade is not feasible, disable the systemd credential feature or ensure that no credentials are supplied for containers.
  • Restrict configuration changes to trusted administrators only to prevent malicious key injection.
  • Verify that file write attempts outside the credentials directory are blocked by monitoring Incus logs.

Generated by OpenCVE AI on April 2, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q4q8-7f2j-9h9f Incus has an abitrary file write through its systemd-creds options
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxcontainers
Linuxcontainers incus
CPEs cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
Vendors & Products Linuxcontainers
Linuxcontainers incus

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.
Title Abitrary file write through systemd-creds option
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Linuxcontainers Incus
Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:00:08.359Z

Reserved: 2026-03-24T19:50:52.105Z

Link: CVE-2026-33945

cve-icon Vulnrichment

Updated: 2026-03-27T14:09:50.207Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T00:16:23.633

Modified: 2026-04-01T16:08:28.247

Link: CVE-2026-33945

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-26T23:27:45Z

Links: CVE-2026-33945 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:04Z

Weaknesses