CVE-2026-23954: RCE in Incus Container Management
Platform
go
Component
github.com/lxc/incus/v6/cmd/incusd
Fixed in
6.1.1
6.0.6
6.20.1
CVE-2026-23954 is a critical remote code execution (RCE) vulnerability affecting Incus, a Kubernetes-native container management system. An attacker with the ability to launch containers using custom images can exploit a flaw in the templating functionality to achieve arbitrary file read and write on the host system, ultimately leading to command execution. This vulnerability impacts Incus versions prior to 6.1.1 and also affects IncusOS. A fix is available in version 6.1.1.
Detect this CVE in your project
Upload your go.mod file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The impact of CVE-2026-23954 is severe. Successful exploitation allows an attacker to gain complete control over the host system running Incus. This can lead to data breaches, system compromise, and the potential for lateral movement within the network. The vulnerability stems from insufficient validation of paths within the templating engine when processing container image metadata. An attacker can craft a malicious metadata.yaml file containing symbolic links or directory traversal sequences to manipulate file access and execute arbitrary commands. This is particularly concerning in environments where container users have elevated privileges or access to sensitive data.
Exploitation Context
CVE-2026-23954 was publicly disclosed on January 22, 2026. The vulnerability's exploitation context is currently unclear, but the combination of RCE and the ability to launch custom containers makes it a high-priority concern. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a potential for rapid exploitation. It is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Adjacent — requires network proximity: same LAN, Bluetooth, or local wireless segment. Not internet-exposed.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-23954 is to upgrade to Incus version 6.1.1 or later. If an immediate upgrade is not possible, consider restricting container user privileges to minimize the potential impact of exploitation. Implement strict image scanning and validation policies to prevent the deployment of malicious container images. While a direct WAF rule is unlikely, consider implementing network segmentation to limit the blast radius of a potential compromise. Monitor container logs for unusual file access patterns or command execution attempts.
How to fix
Actualice Incus a una versión superior a 6.20.0 o a la versión 6.0.6, cuando estén disponibles. Esto corregirá la vulnerabilidad de lectura y escritura arbitraria de archivos en el host a través de la funcionalidad de plantillas.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-23954 — RCE in Incus Container Management?
CVE-2026-23954 is a high-severity remote code execution vulnerability in Incus versions prior to 6.1.1. It allows attackers to execute arbitrary commands on the host system through manipulation of container image templates.
Am I affected by CVE-2026-23954 in Incus Container Management?
If you are running Incus versions prior to 6.1.1, you are potentially affected by this vulnerability. Assess your environment and prioritize upgrading to the patched version.
How do I fix CVE-2026-23954 in Incus Container Management?
Upgrade Incus to version 6.1.1 or later to address this vulnerability. Review and restrict container user privileges as an interim measure.
Is CVE-2026-23954 being actively exploited?
While no active exploitation has been publicly confirmed, the vulnerability's nature suggests a potential for rapid exploitation. Monitor your systems closely.
Where can I find the official Incus advisory for CVE-2026-23954?
Refer to the official Incus security advisory for detailed information and updates: [https://github.com/lxc/incus/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.