CVE-2026-23954
HIGHIncus <= 6.21.0 - Arbitrary File Read and Write via Template Path Traversal
Title source: llmDescription
Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.
References (5)
Core 5
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7
Product x_refsource_misc
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215
Product x_refsource_misc
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294
Exploit x_refsource_misc
https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh
Patch x_refsource_misc
https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch
Scores
CVSS v3
8.7
EPSS
0.0006
EPSS Percentile
19.2%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (2)
linuxcontainers/incus
< 6.0.5
lxc/incus
6.1.0Go
Published
Jan 22, 2026
Tracked Since
Feb 18, 2026