CVE-2026-33945
Published: 27 March 2026
Summary
CVE-2026-33945 is a critical-severity Path Traversal (CWE-22) vulnerability in Linuxcontainers Incus. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of configuration key inputs such as 'systemd.credential.../../../../../../root/.bashrc' to block path traversal and confine writes to the intended credentials directory.
Enforces approved access authorizations to prevent Incus from writing arbitrary files as root outside the container's credentials directory.
Mandates timely patching of the Incus path traversal flaw fixed in version 6.23.0 to eliminate the vulnerability enabling privilege escalation and denial of service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in shared host-container credential directory enables arbitrary root file writes from low-privileged host access, directly facilitating container escape (T1611) and subsequent host privilege escalation (T1068).
NVD Description
Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a…
more
configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.
Deeper analysisAI
CVE-2026-33945 is a path traversal vulnerability (CWE-22) in Incus, an open-source system container and virtual machine manager. The issue affects the feature that provides credentials to systemd within guest instances, specifically through a shared directory for containers. Prior to version 6.23.0, attackers can craft a configuration key such as `systemd.credential.../../../../../../root/.bashrc`, exploiting the syntax `systemd.credential.XYZ` where XYZ can include additional periods and path traversal sequences like `../`. This allows Incus to write files outside the intended `credentials` directory.
The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, low privileges required, no user interaction, and cross-scope impact. An attacker with low privileges on the host (PR:L) can exploit this remotely to write arbitrary files as root within the container's context, enabling privilege escalation on the host or denial-of-service attacks, though no data reading is possible.
The GitHub Security Advisory (GHSA-q4q8-7f2j-9h9f) details the issue, confirming that Incus version 6.23.0 resolves the vulnerability by addressing the path traversal in credential handling. Security practitioners should upgrade to 6.23.0 or later and review configurations for systemd credential options in Incus containers.
Details
- CWE(s)