CVE-2026-23953: Incus container environment configuration newline injection
(updated )
A user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to the newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host.
References
- github.com/advisories/GHSA-x6jc-phwx-hp32
- github.com/lxc/incus
- github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go
- github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32
- github.com/user-attachments/files/24473682/environment_newline_injection.sh
- github.com/user-attachments/files/24473685/environment_newline_injection.patch
- nvd.nist.gov/vuln/detail/CVE-2026-23953
Code Behaviors & Features
Detect and mitigate CVE-2026-23953 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →