CVE-2026-23953
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2026-23953, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-22

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description

Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-22
Last Modified
2026-01-30
Generated
2026-07-06
AI Q&A
2026-01-23
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
linuxcontainers incus to 6.0.5 (inc)
linuxcontainers incus From 6.1.0 (inc) to 6.21.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Incus versions 6.20.0 and below, where a user able to launch a container with a custom YAML configuration can inject newlines into environment variables. This newline injection allows adding extra configuration items into the container's lxc.conf file, enabling the addition of arbitrary lifecycle hooks. Ultimately, this can lead to arbitrary command execution on the host system.

Impact Analysis

Exploiting this vulnerability can allow an attacker with limited privileges (a user able to launch containers with custom YAML) to execute arbitrary commands on the host system. This can compromise the host's security, potentially leading to unauthorized access, data manipulation, or disruption of services.

Mitigation Strategies

Immediate mitigation steps include restricting the ability to launch containers with custom YAML configurations to trusted users only (e.g., limiting membership of the 'incus' group), avoiding running vulnerable versions (6.20.0 and below), and monitoring for updates or patches, specifically versions 6.0.6 and 6.21.0 once released. Additionally, avoid mounting writable host directories like /tmp into containers for validation purposes until a fix is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart