2452020 – (CVE-2026-33897) CVE-2026-33897 incus: pongo2: Incus: Arbitrary file read/write as root via pongo2 template chroot bypass

Bug 2452020 (CVE-2026-33897) - CVE-2026-33897 incus: pongo2: Incus: Arbitrary file read/write as root via pongo2 template chroot bypass

Summary: CVE-2026-33897 incus: pongo2: Incus: Arbitrary file read/write as root via po...

Keywords:
Status:	NEW
Alias:	CVE-2026-33897
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2452043 2452044
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-26 23:02 UTC by OSIDB Bzimport
Modified:	2026-03-26 23:22 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-26 23:02:01 UTC

Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instance lifecycle to template files inside of the instance. This particular implementation of pongo2 within Incus allowed for file read/write but with the expectation that the pongo2 chroot feature would isolate all such access to the instance's filesystem. This was allowed such that a template could theoretically read a file and then generate a new version of said file. Unfortunately the chroot isolation mechanism is entirely skipped by pongo2 leading to easy access to the entire system's filesystem with root privileges. Version 6.23.0 patches the issue.

Note You need to log in before you can comment on or make changes to this bug.