CVE-2025-64507

Name of the Vulnerable Software and Affected Versions Incus versions prior to 6.0.6 and 6.19.0 LXD versions prior to 5.0.2-5+deb12u2 Incus versions prior to 6.0.4-2+deb13u2

Description Incus, a system container and virtual machine manager, has a flaw that could allow local privilege escalation. This issue affects systems where an unprivileged user has root access to a container with a custom storage volume that has the security.shifted property set to true, and also has access to the host as an unprivileged user. Specifically, users may be able to create a custom storage volume and write a setuid binary within the container, which can then be executed on the host to gain root privileges. The issue also affects LXD, another system container and virtual machine manager, when unprivileged users access it through lxd-user.

Recommendations Upgrade Incus to version 6.0.6 or 6.19.0. Upgrade LXD to version 5.0.2-5+deb12u2. Upgrade Incus to version 6.0.4-2+deb13u2. As a temporary workaround, manually restrict permissions using the following commands: chmod 0700 /var/lib/incus/storage-pools// chmod 0711 /var/lib/incus/storage-pools//buckets chmod 0711 /var/lib/incus/storage-pools//container