CVE-2026-33945: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in lxc incus
CVE-2026-33945 is a critical path traversal vulnerability in the Incus container and VM manager prior to version 6. 23. 0. It allows an attacker with limited privileges to write arbitrary files as root outside the intended credentials directory by exploiting improper pathname validation in configuration keys. This can lead to privilege escalation and denial of service without requiring user interaction. The vulnerability stems from the way Incus parses systemd credential keys, permitting directory traversal sequences. Although reading files is not possible, the ability to write arbitrary files as root poses a severe risk. The issue is fixed in Incus version 6. 23. 0.
AI Analysis
Technical Summary
Incus is a system container and virtual machine manager that allows containers to provide credentials to systemd within the guest environment via a shared directory. Prior to version 6.23.0, Incus improperly limits pathnames in configuration keys used for systemd credentials. Specifically, an attacker can craft a configuration key with a name pattern like `systemd.credential.../../../../../../root/.bashrc`, exploiting the fact that the Incus syntax allows multiple periods in the key name. This results in a path traversal vulnerability (CWE-22) that enables writing files outside the designated credentials directory. Although the attacker cannot read files, they can write arbitrary files as root on the host system, leading to privilege escalation and potential denial of service. The vulnerability requires low privileges (container configuration access) and no user interaction, making it highly exploitable remotely. The flaw is due to insufficient sanitization and validation of pathname components in configuration keys. The vulnerability was assigned CVE-2026-33945 and carries a CVSS 3.1 base score of 10.0, indicating critical severity with network attack vector, low attack complexity, and partial privileges required. The issue was resolved in Incus version 6.23.0 by properly restricting pathname traversal in configuration keys.
Potential Impact
This vulnerability allows attackers with limited container configuration access to write arbitrary files as root on the host system, leading to full privilege escalation. This compromises the confidentiality, integrity, and availability of the host and all containers running on it. Attackers can overwrite critical system files, implant backdoors, or disrupt system operations causing denial of service. The ability to escalate privileges from a container to the host breaks the isolation guarantees of containerization, severely impacting multi-tenant environments and cloud providers using Incus. Organizations relying on Incus for container or VM management face risks of unauthorized root access, data breaches, and service outages. The vulnerability's network accessibility and lack of user interaction requirements increase the likelihood of exploitation in the wild, potentially affecting critical infrastructure and enterprise environments.
Mitigation Recommendations
1. Immediately upgrade all Incus deployments to version 6.23.0 or later, which contains the fix for this vulnerability. 2. Restrict access to container configuration interfaces to trusted administrators only, minimizing the risk of malicious configuration changes. 3. Implement strict monitoring and alerting for unusual configuration key changes or file writes outside expected directories. 4. Employ host-based intrusion detection systems to detect unauthorized file modifications, especially in sensitive system paths. 5. Use container security best practices such as running containers with the least privileges and isolating critical workloads. 6. Regularly audit container and host file system integrity to detect potential exploitation attempts. 7. Consider additional runtime security tools that can detect and block path traversal or unauthorized file writes. 8. Educate administrators about the risks of improper configuration and the importance of timely patching.
Affected Countries
United States, Germany, China, Japan, South Korea, United Kingdom, France, Canada, Netherlands, Australia
CVE-2026-33945: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in lxc incus
Description
CVE-2026-33945 is a critical path traversal vulnerability in the Incus container and VM manager prior to version 6. 23. 0. It allows an attacker with limited privileges to write arbitrary files as root outside the intended credentials directory by exploiting improper pathname validation in configuration keys. This can lead to privilege escalation and denial of service without requiring user interaction. The vulnerability stems from the way Incus parses systemd credential keys, permitting directory traversal sequences. Although reading files is not possible, the ability to write arbitrary files as root poses a severe risk. The issue is fixed in Incus version 6. 23. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Incus is a system container and virtual machine manager that allows containers to provide credentials to systemd within the guest environment via a shared directory. Prior to version 6.23.0, Incus improperly limits pathnames in configuration keys used for systemd credentials. Specifically, an attacker can craft a configuration key with a name pattern like `systemd.credential.../../../../../../root/.bashrc`, exploiting the fact that the Incus syntax allows multiple periods in the key name. This results in a path traversal vulnerability (CWE-22) that enables writing files outside the designated credentials directory. Although the attacker cannot read files, they can write arbitrary files as root on the host system, leading to privilege escalation and potential denial of service. The vulnerability requires low privileges (container configuration access) and no user interaction, making it highly exploitable remotely. The flaw is due to insufficient sanitization and validation of pathname components in configuration keys. The vulnerability was assigned CVE-2026-33945 and carries a CVSS 3.1 base score of 10.0, indicating critical severity with network attack vector, low attack complexity, and partial privileges required. The issue was resolved in Incus version 6.23.0 by properly restricting pathname traversal in configuration keys.
Potential Impact
This vulnerability allows attackers with limited container configuration access to write arbitrary files as root on the host system, leading to full privilege escalation. This compromises the confidentiality, integrity, and availability of the host and all containers running on it. Attackers can overwrite critical system files, implant backdoors, or disrupt system operations causing denial of service. The ability to escalate privileges from a container to the host breaks the isolation guarantees of containerization, severely impacting multi-tenant environments and cloud providers using Incus. Organizations relying on Incus for container or VM management face risks of unauthorized root access, data breaches, and service outages. The vulnerability's network accessibility and lack of user interaction requirements increase the likelihood of exploitation in the wild, potentially affecting critical infrastructure and enterprise environments.
Mitigation Recommendations
1. Immediately upgrade all Incus deployments to version 6.23.0 or later, which contains the fix for this vulnerability. 2. Restrict access to container configuration interfaces to trusted administrators only, minimizing the risk of malicious configuration changes. 3. Implement strict monitoring and alerting for unusual configuration key changes or file writes outside expected directories. 4. Employ host-based intrusion detection systems to detect unauthorized file modifications, especially in sensitive system paths. 5. Use container security best practices such as running containers with the least privileges and isolating critical workloads. 6. Regularly audit container and host file system integrity to detect potential exploitation attempts. 7. Consider additional runtime security tools that can detect and block path traversal or unauthorized file writes. 8. Educate administrators about the risks of improper configuration and the importance of timely patching.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T19:50:52.105Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c5c16a3c064ed76fe46d14
Added to database: 3/26/2026, 11:29:46 PM
Last enriched: 3/26/2026, 11:44:54 PM
Last updated: 3/27/2026, 1:41:43 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.