Incus is a system container and virtual machine manager that supports pongo2 templates to dynamically generate files within container instances. Prior to version 6.23.0, Incus improperly implemented pongo2's chroot isolation feature, which was intended to restrict template file operations to the container's filesystem. Due to this improper neutralization of special elements in the template engine (CWE-1336), a crafted template file can bypass the chroot restriction and perform arbitrary file reads and writes on the host system with root privileges. This vulnerability allows an attacker with access to create or modify instance templates to escalate privileges from within a container to the host, effectively breaking container isolation. The vulnerability is critical, with a CVSS 3.1 base score of 10.0, reflecting its ease of exploitation (network attack vector not required, but local privileges needed), complete compromise of confidentiality, integrity, and availability, and scope change from container to host. The flaw was publicly disclosed on March 26, 2026, and patched in Incus 6.23.0. No public exploits have been reported yet, but the severity and nature of the vulnerability make it a prime target for attackers aiming for host takeover via container escape.

This vulnerability enables attackers with local access to a container instance to escalate privileges to root on the host system, completely compromising the host's confidentiality, integrity, and availability. Organizations relying on Incus for container and VM management face risks of full system compromise, data breaches, and potential lateral movement within their infrastructure. The breach of container isolation undermines trust in container security, potentially affecting multi-tenant environments and cloud service providers. Exploitation could lead to deployment of persistent malware, destruction or theft of sensitive data, and disruption of critical services. Given the critical CVSS score and root-level access, the impact is severe and can affect any organization using vulnerable versions of Incus, especially those running production workloads in containerized environments.

The primary mitigation is to upgrade Incus to version 6.23.0 or later, where the vulnerability is patched. Until upgrade, organizations should restrict access to container instance template creation and modification to trusted administrators only. Implement strict access controls and monitoring on container management interfaces to detect suspicious template activity. Employ runtime security tools that can detect anomalous file system operations originating from containers. Consider isolating critical workloads on hosts not running vulnerable Incus versions. Regularly audit container configurations and template files for unauthorized changes. Additionally, applying host-based intrusion detection systems and file integrity monitoring can help identify exploitation attempts. Network segmentation to limit lateral movement from compromised containers is also recommended.