CVE-2026-23954
Published: 22 January 2026
Summary
CVE-2026-23954 is a high-severity Path Traversal (CWE-22) vulnerability in Linuxcontainers Incus. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of source and target paths in container image templates to block directory traversal and symbolic link attacks.
Requires timely identification, reporting, and remediation of flaws like the path validation failure in Incus templating, enabling application of the planned patch.
Enforces least privilege to restrict membership in the 'incus' group and ability to launch custom container images, eliminating the prerequisite for exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in Incus container templating enables host escape with arbitrary file read/write and command execution from low-privileged group membership, directly mapping to container escape and privilege escalation.
NVD Description
Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic…
more
links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.
Deeper analysisAI
CVE-2026-23954 is a high-severity vulnerability (CVSS 8.7) affecting Incus, an open-source system container and virtual machine manager, in versions 6.21.0 and below. The issue stems from inadequate validation of source and target paths in the templating functionality when launching containers with custom images containing a metadata.yaml file with templates. This enables directory traversal (CWE-22) or symbolic link attacks, allowing arbitrary file reads and writes on the host system. The vulnerability also impacts IncusOS deployments.
An attacker requires low privileges, such as membership in the 'incus' group, granting the ability to launch containers with custom images. From this position, exploitation involves crafting malicious templates in the image's metadata.yaml to traverse directories or follow symlinks outside the container's namespace. Successful attacks yield arbitrary host file read/write access, escalating to full arbitrary command execution on the host with elevated privileges.
The Incus security advisory (GHSA-7f67-crqm-jgh7) details the root causes in specific code paths (e.g., driver_lxc.go lines 7215 and 7294), includes a proof-of-concept exploit script (template_arbitrary_write.sh), and provides a proposed patch (templates_arbitrary_write.patch). A fix is planned for Incus versions 6.0.6 and 6.21.0, but these had not been released as of the CVE publication on 2026-01-22. Security practitioners should restrict custom image launches and monitor for updates.
Details
- CWE(s)