Threat Advisory

Incus Image Hash Vulnerability Enables File Write

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Incus container management daemon, affecting versions prior to 7.2.0. These critical flaws include arbitrary file writes, argument injection, path traversal, and access control bypasses, which can be chained to achieve arbitrary command execution as root. The business risk is substantial, as successful exploitation allows attackers to fully compromise the host system, potentially leading to data exfiltration, service disruption, and lateral movement across the infrastructure.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Incus container management daemon, affecting versions prior to 7.2.0. These critical flaws include arbitrary file writes, argument injection, path traversal, and access control bypasses, which can be chained to achieve arbitrary command execution as root. The business risk is substantial, as successful exploitation allows attackers to fully compromise the host system, potentially leading to data exfiltration, service disruption, and lateral movement across the infrastructure.[emaillocker id="1283"]

  • CVE-2026-48769 with a CVSS score of 9.9 – An arbitrary file write vulnerability occurs when a malicious image server returns a crafted header, enabling path traversal and arbitrary command execution as root.
    • CVE-2026-48755 with a CVSS score of 9.9 – Improper validation of the backup compression algorithm allows argument injection, leading to arbitrary file writes and potential command execution on the host.
    • CVE-2026-48753 with a CVSS score of 9.9 – The S3 protocol upload endpoint fails to sanitize upload IDs, allowing path traversal that creates arbitrary files and leads to command execution.
    • CVE-2026-48749 with a CVSS score of 9.9 – A malicious image with a crafted rootfs symlink permits arbitrary file read and write operations on the host, facilitating command execution.
    • CVE-2026-48751 with a CVSS score of 9.9 – Instance snapshots ignore restricted project settings, allowing bypass of security controls and arbitrary command execution via low-level hooks.

These vulnerabilities pose a severe and immediate risk to the integrity of containerized environments, enabling complete host takeover. Exploitation could result in significant business continuity issues, unauthorized access to sensitive data, and full infrastructure compromise. Urgent action is necessary to secure systems against these critical threats.

RECOMMENDATION:

  • We recommend you to update incusd to version 7.2.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-f6m5-xw2g-xc4x
https://github.com/advisories/GHSA-v6mj-8pf4-hhw4
https://github.com/advisories/GHSA-ccjc-4qc3-jxqc
https://github.com/advisories/GHSA-vxp5-584q-c479
https://github.com/advisories/GHSA-73hr-m85f-64v9
https://github.com/advisories/GHSA-2q3f-q5pq-g8wv
https://github.com/advisories/GHSA-48q5-w887-33wv

[/emaillocker]
crossmenu