CVE-2026-33711
Published: 26 March 2026
Summary
CVE-2026-33711 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Linuxcontainers Incus. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Patching Incus to version 6.23.0 directly eliminates the predictable temporary file paths exploited in the symlink attack.
Enforcing kernel configuration settings such as protected_symlinks=1 blocks symlink following attacks on predictable /tmp paths used by Incus.
Prevents unauthorized modification of arbitrary files via shared system resources like /tmp exploited in the symlink vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln directly enables local file truncation + permission/mode modification via symlink attack on predictable /tmp paths (T1222.002), which can be abused for LPE or DoS when protected_symlinks is disabled (T1068).
NVD Description
Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and…
more
sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue.
Deeper analysisAI
CVE-2026-33711 is a symlink attack vulnerability (CWE-61) in Incus, an open-source system container and virtual machine manager. The issue affects the API endpoint for retrieving VM screenshots, which uses predictable temporary file paths under /tmp for QEMU to write screenshot data before it is served to the user and deleted. Versions of Incus prior to 6.23.0 are vulnerable, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this by pre-creating symlinks at the predictable /tmp paths. On most Linux systems, the kernel's protected_symlinks feature prevents success, resulting in a "Permission denied" error. However, on rare systems where protected_symlinks is explicitly disabled, the attacker can trick Incus into truncating arbitrary files and modifying their mode and permissions, potentially causing denial of service or local privilege escalation.
The Incus security advisory (GHSA-q9vp-3wcg-8p4x) confirms that upgrading to version 6.23.0 resolves the issue by addressing the predictable temporary file usage. Security practitioners should verify protected_symlinks is enabled on Linux hosts running Incus and prioritize patching affected instances.
Details
- CWE(s)