CVE-2026-23954
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description
Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the β€˜incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23954
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxcontainers incus to 6.0.5 (inc)
linuxcontainers incus From 6.1.0 (inc) to 6.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Incus (versions 6.21.0 and below) allows a user who can launch a container with a custom image (such as a member of the 'incus' group) to exploit directory traversal or symbolic links in the templating functionality. This flaw enables the user to read and write arbitrary files on the host system, ultimately leading to arbitrary command execution on the host. The issue arises because the source and target paths in the image's metadata.yaml templates are not checked for symbolic links or directory traversal.

Impact Analysis

This vulnerability can have a severe impact as it allows an attacker with limited privileges (able to launch containers with custom images) to execute arbitrary commands on the host system. This can lead to unauthorized access, data manipulation, or disruption of services on the host, compromising the security and integrity of the system.

Mitigation Strategies

Immediate mitigation steps include restricting the ability to launch containers with custom images to trusted users only (e.g., limiting membership of the 'incus' group), avoiding use of images with untrusted or unverified metadata.yaml templates, and monitoring for any suspicious activity related to container templating. Since a fix is planned but not yet released, applying updates once available is critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart