CVE-2026-33711
Symlink Attack in Incus VM Screenshot API Enables Privilege Escalation
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxcontainers | incus | to 6.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Incus, a system container and virtual machine manager, specifically its API for retrieving VM screenshots. The API uses a temporary file in a predictable path under /tmp for QEMU to write the screenshot. An attacker with local access can create symlinks ahead of time to exploit this mechanism. On most Linux systems, a security feature called protected_symlinks prevents exploitation by causing a permission denied error. However, on rare systems where this feature is disabled, an attacker can trick Incus into truncating and changing the mode and permissions of arbitrary files, potentially causing denial of service or local privilege escalation.
This issue is fixed in Incus version 6.23.0.
How can this vulnerability impact me? :
If exploited on systems without the protected_symlinks security feature enabled, this vulnerability can allow an attacker with local access to modify arbitrary files by truncating them and changing their permissions. This can lead to denial of service by corrupting important files or potentially local privilege escalation, where the attacker gains higher system privileges.
On most Linux systems, the attack will fail due to the protected_symlinks feature, resulting in a permission denied error.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the use of predictable temporary file paths under /tmp by Incus versions prior to 6.23.0. Detection would require checking if your system is running an affected version of Incus and if the protected_symlinks kernel security feature is disabled.
Since the vulnerability is local and related to file system symlink protections, you can check the kernel setting for protected_symlinks by running the following command:
- cat /proc/sys/fs/protected_symlinks
A value of 0 indicates the protection is disabled, which makes the system vulnerable if running an affected Incus version.
Additionally, verify the Incus version installed with a command like:
- incus --version
If the version is prior to 6.23.0 and protected_symlinks is disabled, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Incus to version 6.23.0 or later, where this issue is fixed.
If upgrading is not immediately possible, ensure that the Linux kernel security feature protected_symlinks is enabled to prevent exploitation.
- Enable protected_symlinks by running: echo 1 > /proc/sys/fs/protected_symlinks
This setting helps block symlink attacks that could lead to denial of service or privilege escalation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a local attacker to truncate and alter ownership of arbitrary files on the filesystem, potentially corrupting critical root-owned files such as credentials or configuration files. This could lead to denial of service, persistence mechanisms, and local privilege escalation.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the potential corruption or unauthorized modification of sensitive files could impact the confidentiality, integrity, and availability of data, which are core principles in these regulations.
Therefore, if systems handling regulated data are affected and this vulnerability is exploited, it could lead to non-compliance with data protection requirements due to unauthorized access or modification of sensitive information.