CVE-2026-33945: Incus has an abitrary file write through its systemd-creds options

March 27, 2026

Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. An attacker can use the name of a systemd credential to escape that directory and overwrite arbitrary files on the host system.

This can in turn be used to perform local privilege escalation or cause a DoS.

References

github.com/advisories/GHSA-q4q8-7f2j-9h9f
github.com/lxc/incus
github.com/lxc/incus/commit/f74199f9983e2ce78f2b78b6d765c6635b229c82
github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f
nvd.nist.gov/vuln/detail/CVE-2026-33945

Code Behaviors & Features

Detect and mitigate CVE-2026-33945 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →