CVE-2026-33945
Path Traversal in Incus Credentials Allows Root File Write
Publication date: 2026-03-27
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxcontainers | incus | to 6.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33945 is a critical vulnerability in Incus, a system container and virtual machine manager, affecting versions prior to 6.23.0. The issue lies in how Incus handles systemd credentials for containers through a shared directory. An attacker can craft a specially named systemd credential containing directory traversal sequences, allowing them to write files outside the intended credentials directory on the host filesystem.
This vulnerability exploits the fact that the Incus syntax for credentials allows periods within the credential name, enabling directory traversal to arbitrary locations such as the root user's .bashrc file. While reading data is not possible, writing arbitrary files as root is, which can lead to serious security issues.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to write arbitrary files as root on the host system, leading to potential privilege escalation and denial of service attacks. Such unauthorized access and control over system files can compromise the confidentiality, integrity, and availability of data.
Because of these impacts, organizations using vulnerable versions of Incus may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data protection, system integrity, and availability.
Failure to remediate this vulnerability could result in violations of these regulations due to potential unauthorized modification or disruption of sensitive data and systems.
How can this vulnerability impact me? :
The vulnerability allows an attacker to write arbitrary files on the host system with root privileges. This can lead to local privilege escalation, where the attacker gains higher-level access than intended.
Additionally, it can cause denial of service (DoS) attacks by overwriting critical host files, potentially disrupting system operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker setting specially crafted systemd credential keys containing directory traversal sequences to write arbitrary files as root outside the intended credentials directory.
Detection can focus on identifying unusual or suspicious systemd credential keys configured in Incus containers, especially those containing patterns like "systemd.credential.../../../" which indicate directory traversal attempts.
You can inspect the configuration of Incus containers for such keys by examining the container configuration files or querying Incus for systemd credential keys.
- Use commands to list container configurations and search for suspicious systemd credential keys, for example:
- grep -r 'systemd.credential' /var/lib/incus/containers/*/config
- Look for credential keys containing directory traversal sequences like "../" or multiple periods.
- Check for unexpected or recently modified files on the host filesystem that could have been written by this exploit, especially critical files like ".bashrc" in root's home directory.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Incus to version 6.23.0 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, avoid using the systemd-creds option or restrict the ability to set systemd credential keys that could contain directory traversal sequences.
Additionally, monitor and audit container configurations for suspicious credential keys and restrict container privileges to minimize potential exploitation.