CVE-2026-33897
Published: 26 March 2026
Summary
CVE-2026-33897 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Linuxcontainers Incus. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of the pongo2 chroot bypass flaw in Incus by applying patches such as version 6.23.0.
Mandates process isolation to confine container instance processes to their execution domains, preventing unauthorized root access to the host filesystem.
Enforces software-based separation policies using mechanisms like container namespaces, countering the chroot isolation skip in Incus templating.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a chroot bypass in Incus container/VM templating that grants unrestricted root-level read/write access to the host filesystem from within an instance, directly enabling adversaries to escape the container boundary and compromise the underlying host.
NVD Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can…
more
be used at various times in the instance lifecycle to template files inside of the instance. This particular implementation of pongo2 within Incus allowed for file read/write but with the expectation that the pongo2 chroot feature would isolate all such access to the instance's filesystem. This was allowed such that a template could theoretically read a file and then generate a new version of said file. Unfortunately the chroot isolation mechanism is entirely skipped by pongo2 leading to easy access to the entire system's filesystem with root privileges. Version 6.23.0 patches the issue.
Deeper analysisAI
CVE-2026-33897 is a high-severity vulnerability (CVSS 9.9) affecting Incus, an open-source system container and virtual machine manager, in versions prior to 6.23.0. The issue stems from the implementation of pongo2 templating engine used within Incus instances during various lifecycle stages to process template files. While pongo2 was intended to support file read/write operations confined to the instance's filesystem via a chroot isolation mechanism—allowing templates to read and regenerate files—this chroot feature is entirely skipped, enabling unrestricted access to the host server's filesystem with root privileges (CWE-1336: Improper Neutralization of Special Elements).
An attacker with low privileges (PR:L) on an Incus instance can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving scope change (S:C) for high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). By crafting malicious instance template files leveraging pongo2, the attacker can perform arbitrary reads or writes as root on the host system, potentially leading to full host compromise, data exfiltration, persistence, or disruption.
The official GitHub security advisory (GHSA-83xr-5xxr-mh92) confirms that Incus version 6.23.0 addresses the vulnerability by patching the pongo2 chroot bypass. Security practitioners should upgrade to 6.23.0 or later and review instances for untrusted templates.
Details
- CWE(s)