Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-23954

8.7 HIGH

CVSS version: 3.1
Attack vector (AV): ADJACENT_NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 2 months ago

Incus container image templating arbitrary host file read and write

Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.

References

https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7 x_refsource_CONFIRM
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215 x_refsource_MISC
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294 x_refsource_MISC
https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh x_refsource_MISC
https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch x_refsource_MISC
https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7 x_refsource_CONFIRM
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215 x_refsource_MISC
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294 x_refsource_MISC
https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh x_refsource_MISC
https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch x_refsource_MISC

Affected products

incus

==<= 6.0.5
==>= 6.1.0, <= 6.20.0

Matching in nixpkgs

pkgs.incus

Powerful system container and virtual machine manager

nixos-unstable 6.18.0
- nixpkgs-unstable 6.18.0
- nixos-unstable-small 6.18.0

pkgs.incus-lts

Powerful system container and virtual machine manager

nixos-unstable 6.0.5
- nixpkgs-unstable 6.0.5
- nixos-unstable-small 6.0.5

pkgs.incus-ui-canonical

Web user interface for Incus

nixos-unstable 0.18.3
- nixpkgs-unstable 0.18.3
- nixos-unstable-small 0.18.3

pkgs.terraform-providers.incus

None

nixos-unstable -
- nixos-unstable-small 1.0.0

pkgs.terraform-providers.lxc_incus

None

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0

Package maintainers

@jnsgruk Jon Seager <jon@sgrs.uk>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@mkg20001 Maciej Krüger <mkg20001+nix@gmail.com>
@aanderse Aaron Andersen <aaron@fosslib.net>
@megheaiulian Meghea Iulian <iulian.meghea@gmail.com>