2452054 – (CVE-2026-33945) CVE-2026-33945 incus: Incus: Privilege escalation and denial of service via path traversal in systemd credential configuration

Bug 2452054 (CVE-2026-33945) - CVE-2026-33945 incus: Incus: Privilege escalation and denial of service via path traversal in systemd credential configuration

Summary: CVE-2026-33945 incus: Incus: Privilege escalation and denial of service via p...

Keywords:
Status:	NEW
Alias:	CVE-2026-33945
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2452106
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-27 00:02 UTC by OSIDB Bzimport
Modified:	2026-03-27 07:07 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-27 00:02:03 UTC

Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.