CVE-2026-33945 Overview
CVE-2026-33945 is a critical path traversal vulnerability in Incus, a system container and virtual machine manager developed by LinuxContainers. The vulnerability exists in the systemd credential handling mechanism for container instances, where insufficient input validation allows attackers to write arbitrary files as root on the host system.
Incus instances provide an option to pass credentials to systemd in the guest environment. For containers, this is accomplished through a shared directory. The vulnerability arises from the systemd.credential.XYZ configuration key syntax, where XYZ can contain additional periods. Prior to version 6.23.0, an attacker can craft a configuration key such as systemd.credential.../../../../../../root/.bashrc to force Incus to write outside the designated credentials directory, achieving arbitrary file write capabilities with root privileges.
Critical Impact
This path traversal vulnerability enables attackers to write arbitrary files as root on the host system, leading to both privilege escalation and denial of service attacks on systems running vulnerable Incus versions.
Affected Products
- Linuxcontainers Incus versions prior to 6.23.0
- Systems utilizing Incus systemd credential passthrough functionality
- Container environments configured with systemd credential configuration keys
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33945 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33945
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw resides in how Incus processes the systemd.credential.* configuration namespace without properly sanitizing the credential name portion.
The attack exploits a design oversight where the credential name suffix in systemd.credential.XYZ is directly used to construct file paths within the credentials directory. Since the credential name can legitimately contain periods (e.g., systemd.credential.my.service.token), the parser does not strip or reject path separators embedded within the credential name. This allows an attacker with the ability to set container configuration keys to inject relative path sequences like ../ to traverse out of the intended credentials directory.
While the vulnerability does not permit reading arbitrary files, the ability to write content as root presents severe security implications. An attacker can overwrite critical system files, inject malicious scripts into shell initialization files, modify cron jobs, or corrupt essential configuration files to cause denial of service.
Root Cause
The root cause is improper input validation in the Incus credential handling code path. When processing systemd.credential.* configuration keys, the application fails to sanitize or validate the credential name portion for path traversal sequences. The code constructs a file path by directly appending the user-supplied credential name to the base credentials directory path without canonicalizing the result or checking that the final path remains within the intended directory boundary.
Attack Vector
The attack is network-accessible and requires low privileges to execute. An attacker with the ability to modify container configuration—such as an authenticated user with container management permissions—can set a malicious configuration key. The exploitation flow involves:
- Attacker identifies a target Incus container with systemd credential support enabled
- Attacker sets a configuration key with embedded path traversal sequences (e.g., systemd.credential.../../../../../../etc/cron.d/backdoor)
- Incus processes the configuration and writes the credential value to the traversed path
- The malicious content is written as root, achieving arbitrary file write on the host system
The vulnerability enables privilege escalation from container administrator to host root, as well as denial of service through corruption of critical system files. See the GitHub Security Advisory for complete technical details.
Detection Methods for CVE-2026-33945
Indicators of Compromise
- Configuration keys containing path traversal sequences such as ../ within systemd.credential.* entries
- Unexpected file modifications in system directories (e.g., /root/, /etc/) timestamped during Incus container operations
- New or modified files in sensitive locations like /root/.bashrc, /etc/cron.d/, or /etc/sudoers.d/
- Container configurations with unusually long or obfuscated credential names
Detection Strategies
- Audit Incus container configurations for systemd.credential.* keys containing ../ or encoded path traversal sequences
- Implement file integrity monitoring (FIM) on critical host system files to detect unauthorized modifications
- Monitor Incus logs for configuration changes involving systemd credential parameters
- Deploy endpoint detection rules to alert on file write operations to sensitive directories originating from Incus processes
Monitoring Recommendations
- Enable verbose logging for Incus daemon operations and container configuration changes
- Configure SIEM alerting for any configuration keys matching patterns like systemd.credential.*../*
- Implement real-time monitoring of file system changes in /etc/, /root/, and other privileged directories
- Review container configuration history for anomalous credential key naming patterns
How to Mitigate CVE-2026-33945
Immediate Actions Required
- Upgrade Incus to version 6.23.0 or later immediately
- Audit existing container configurations for any systemd.credential.* keys containing path traversal sequences
- Review file integrity on host systems to identify any unauthorized file modifications
- Restrict container configuration modification permissions to trusted administrators only
Patch Information
LinuxContainers has released version 6.23.0 of Incus which addresses this vulnerability by implementing proper input validation and path canonicalization for systemd credential configuration keys. The fix ensures that credential names containing path traversal sequences are rejected, and file write operations are constrained to the designated credentials directory.
For detailed patch information and release notes, refer to the GitHub Security Advisory GHSA-q4q8-7f2j-9h9f.
Workarounds
- Disable systemd credential passthrough functionality for containers until the patch can be applied
- Implement strict access controls to limit which users can modify container configurations
- Deploy AppArmor or SELinux profiles to restrict Incus write operations to approved directories
- Use file system monitoring tools to detect and alert on writes outside expected credential paths
# Configuration example
# Verify current Incus version
incus version
# Upgrade Incus to patched version (example for apt-based systems)
apt update && apt install incus=6.23.0
# Audit existing configurations for suspicious credential keys
incus config show <container-name> | grep -E "systemd\.credential\..*/\.\."
# Restrict container configuration permissions (example)
incus config set <container-name> security.restricted=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
