CVE-2026-23954: Incus container image templating arbitrary host file read and write
(updated )
A user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) can use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write, ultimately resulting in arbitrary command execution on the host. This can also be exploited in IncusOS.
References
- github.com/advisories/GHSA-7f67-crqm-jgh7
- github.com/lxc/incus
- github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go
- github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go
- github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7
- github.com/user-attachments/files/24473599/template_arbitrary_write.sh
- github.com/user-attachments/files/24473601/templates_arbitrary_write.patch
- nvd.nist.gov/vuln/detail/CVE-2026-23954
Code Behaviors & Features
Detect and mitigate CVE-2026-23954 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →