Platform
go
Component
github.com/lxc/incus
Fixed in
6.23.1
6.23.0
CVE-2026-33945 describes a path traversal vulnerability affecting Incus instances, specifically within the github.com/lxc/incus/v6 component. This flaw allows an attacker to manipulate systemd credentials to escape the designated directory and overwrite arbitrary files on the host system. Successful exploitation can lead to local privilege escalation or a denial-of-service (DoS) condition. The vulnerability is resolved in Incus version 6.23.0.
CVE-2026-33945 in Incus allows for arbitrary file write vulnerabilities stemming from improper handling of the systemd-creds options within the github.com/lxc/incus project. An attacker with the ability to influence the configuration of Incus, specifically the systemd-creds settings, can leverage this flaw to write arbitrary files to the host system. This could involve overwriting critical system files, injecting malicious code, or exfiltrating sensitive data. The blast radius extends to the entire host system running Incus, as successful exploitation grants the attacker the ability to modify any file accessible by the user account associated with the systemd-creds configuration. For example, an attacker could overwrite /etc/passwd to gain root access, or modify configuration files for other services running on the host, leading to a complete compromise of the system. The severity is rated Critical (CVSS 9.9) due to the potential for complete system takeover and the relative ease with which an attacker could exploit the vulnerability if they have control over the Incus configuration. The impact is particularly severe in environments where Incus is used to manage container infrastructure, as a compromised Incus instance could lead to the compromise of multiple containers and the underlying host.
Currently, there are no publicly available exploitation reports or proof-of-concept (POC) code for CVE-2026-33945, as indicated by the lack of entries in the Kernel Exploit Database (KEV). However, the Critical severity rating and the relatively straightforward nature of the vulnerability suggest that exploitation is possible and could emerge in the future. The absence of public exploits does not diminish the importance of applying the patch promptly. Organizations should prioritize patching Incus to version 6.23.0 or later to mitigate the risk of potential exploitation. The lack of current exploitation should not be interpreted as an indication that the vulnerability is not serious; rather, it underscores the importance of proactive security measures.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33945 is to upgrade Incus to version 6.23.0 or later. This version includes a fix that addresses the arbitrary file write vulnerability. If upgrading is not immediately feasible, a temporary workaround involves carefully restricting the permissions and access granted to the user account used for systemd-creds authentication. This should include limiting the directories and files that the user can write to. Thoroughly review and audit the Incus configuration to ensure that the systemd-creds options are not being misused. After applying the upgrade or implementing the workaround, verify the fix by attempting to trigger the vulnerability using a controlled test environment. This should involve simulating an attacker's attempt to write an arbitrary file and confirming that the attempt is blocked. Regular security audits and vulnerability scanning of the Incus deployment are also recommended to proactively identify and address potential security weaknesses.
Update Incus to version 6.23.0 or higher. This version fixes the vulnerability that allows arbitrary file writing. The update can be performed through the system package manager or by downloading the new version from the official website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33945 is a critical vulnerability in Incus that allows for arbitrary file writes through its systemd-creds options.
Versions of Incus prior to 6.23.0 are affected by this vulnerability.
Upgrade Incus to version 6.23.0 or later to resolve this issue.
As of now, there are no publicly known exploits for CVE-2026-33945, but the vulnerability is considered critical.
Refer to the National Vulnerability Database (NVD) entry for CVE-2026-33945 for more details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.