Plattform
go
Komponente
github.com/lxc/incus/v6/cmd/incusd
Behoben in
6.1.1
6.0.6
6.20.1
CVE-2026-23954 is a critical remote code execution (RCE) vulnerability affecting Incus, a Kubernetes-native container management system. An attacker with the ability to launch containers using custom images can exploit a flaw in the templating functionality to achieve arbitrary file read and write on the host system, ultimately leading to command execution. This vulnerability impacts Incus versions prior to 6.1.1 and also affects IncusOS. A fix is available in version 6.1.1.
The impact of CVE-2026-23954 is severe. An attacker who can launch a container with a custom image, such as a member of the 'incus' group, can craft a malicious metadata.yaml file containing directory traversal sequences or symbolic links. This allows them to read arbitrary files from the host system, potentially exposing sensitive configuration data, credentials, or source code. More critically, the attacker can also write arbitrary files, effectively gaining control over the host environment and executing arbitrary commands. This could lead to complete system compromise, data exfiltration, or denial of service. The ability to exploit this vulnerability in IncusOS expands the potential attack surface to the underlying operating system.
CVE-2026-23954 was publicly disclosed on January 22, 2026. The vulnerability's exploitation context is currently unclear, with no immediate reports of active campaigns. There are no known public proof-of-concept exploits available at this time. The vulnerability is not listed on the CISA KEV catalog as of this writing. The ease of exploitation, given the ability to provide a custom image, warrants careful monitoring and proactive mitigation.
Organizations utilizing Incus for container orchestration, particularly those with container users possessing elevated privileges or access to sensitive data, are at risk. Shared hosting environments where multiple users can launch containers with custom images are also particularly vulnerable. Environments using older, unpatched Incus versions are at the highest risk.
• linux / server:
journalctl -u incusd | grep -i "template parsing error"• linux / server:
lsof -i :8080 | grep incusd # Check for Incus process listening on standard port• generic web:
curl -I http://<incus_ip>:8080/api/v1/ | grep -i "server: incus"disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-23954 is to upgrade Incus to version 6.1.1 or later, which includes the necessary fixes to prevent directory traversal and symbolic link exploitation. If upgrading immediately is not possible, consider restricting the ability of users to launch containers with custom images. Implement strict access controls to limit who can create and manage container images. While not a direct fix, consider using a Web Application Firewall (WAF) or proxy to filter potentially malicious requests targeting the image templating functionality. Monitor container logs for suspicious activity, particularly attempts to access or modify files outside of expected container directories.
Actualice Incus a una versión superior a 6.20.0 o a la versión 6.0.6, cuando estén disponibles. Esto corregirá la vulnerabilidad de lectura y escritura arbitraria de archivos en el host a través de la funcionalidad de plantillas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23954 is a high-severity remote code execution vulnerability in Incus versions prior to 6.1.1. It allows attackers to execute arbitrary commands on the host system through manipulation of container image templates.
If you are running Incus versions prior to 6.1.1, you are potentially affected by this vulnerability. Assess your environment and prioritize upgrading to the patched version.
Upgrade Incus to version 6.1.1 or later to address this vulnerability. Review and restrict container user privileges as an interim measure.
While no active exploitation has been publicly confirmed, the vulnerability's nature suggests a potential for rapid exploitation. Monitor your systems closely.
Refer to the official Incus security advisory for detailed information and updates: [https://github.com/lxc/incus/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.