CVE-2026-33711: CWE-61: UNIX Symbolic Link (Symlink) Following in lxc incus
CVE-2026-33711 is a medium severity vulnerability in Incus, a system container and VM manager, affecting versions prior to 6. 23. 0. The vulnerability arises from the use of predictable temporary file paths under /tmp for VM screenshots, allowing a local attacker to create symlinks that can be abused. On most Linux systems, a kernel security feature called protected_symlinks prevents exploitation, resulting in a permission denied error. However, on systems where this feature is disabled, an attacker can cause Incus to truncate and modify arbitrary files, potentially leading to denial of service or local privilege escalation. The issue is fixed in version 6. 23. 0.
AI Analysis
Technical Summary
Incus versions before 6.23.0 use predictable temporary file paths under /tmp for QEMU VM screenshots. A local attacker can pre-create symbolic links at these paths to manipulate the file operations performed by Incus. While the Linux kernel's protected_symlinks feature blocks such attacks on most systems, disabling this protection allows exploitation. Exploitation can result in truncation and permission changes to arbitrary files, causing denial of service or local privilege escalation. The vulnerability is tracked as CWE-61 (Improper Handling of Symbolic Links) and has a CVSS 4.7 (medium) score. The issue is resolved in Incus 6.23.0.
Potential Impact
On systems with protected_symlinks enabled (the majority), exploitation attempts result in permission denied errors, preventing impact. On systems where this kernel protection is disabled, local attackers can manipulate arbitrary files by exploiting the symlink vulnerability, potentially causing denial of service or local privilege escalation. There are no known exploits in the wild.
Mitigation Recommendations
Upgrade Incus to version 6.23.0 or later, where this vulnerability is fixed. Systems relying on the Linux kernel's protected_symlinks feature are generally protected, but disabling this feature increases risk. No other mitigations are indicated by the vendor advisory. Patch status is not explicitly stated in patchLinks but the description confirms the fix is in version 6.23.0.
CVE-2026-33711: CWE-61: UNIX Symbolic Link (Symlink) Following in lxc incus
Description
CVE-2026-33711 is a medium severity vulnerability in Incus, a system container and VM manager, affecting versions prior to 6. 23. 0. The vulnerability arises from the use of predictable temporary file paths under /tmp for VM screenshots, allowing a local attacker to create symlinks that can be abused. On most Linux systems, a kernel security feature called protected_symlinks prevents exploitation, resulting in a permission denied error. However, on systems where this feature is disabled, an attacker can cause Incus to truncate and modify arbitrary files, potentially leading to denial of service or local privilege escalation. The issue is fixed in version 6. 23. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Incus versions before 6.23.0 use predictable temporary file paths under /tmp for QEMU VM screenshots. A local attacker can pre-create symbolic links at these paths to manipulate the file operations performed by Incus. While the Linux kernel's protected_symlinks feature blocks such attacks on most systems, disabling this protection allows exploitation. Exploitation can result in truncation and permission changes to arbitrary files, causing denial of service or local privilege escalation. The vulnerability is tracked as CWE-61 (Improper Handling of Symbolic Links) and has a CVSS 4.7 (medium) score. The issue is resolved in Incus 6.23.0.
Potential Impact
On systems with protected_symlinks enabled (the majority), exploitation attempts result in permission denied errors, preventing impact. On systems where this kernel protection is disabled, local attackers can manipulate arbitrary files by exploiting the symlink vulnerability, potentially causing denial of service or local privilege escalation. There are no known exploits in the wild.
Mitigation Recommendations
Upgrade Incus to version 6.23.0 or later, where this vulnerability is fixed. Systems relying on the Linux kernel's protected_symlinks feature are generally protected, but disabling this feature increases risk. No other mitigations are indicated by the vendor advisory. Patch status is not explicitly stated in patchLinks but the description confirms the fix is in version 6.23.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T17:06:05.747Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c5ba613c064ed76fe1f5ce
Added to database: 3/26/2026, 10:59:45 PM
Last enriched: 4/3/2026, 1:32:11 PM
Last updated: 5/11/2026, 5:15:44 AM
Views: 121
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.