CVE-2026-33897

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Incus versions prior to 6.23.0

Description Incus, a system container and virtual machine manager, allows instance template files to be used to perform arbitrary read and write operations as root on the host server. The software utilizes pongo2 templates within instances, intended for templating files inside the instance. The pongo2 chroot isolation mechanism, designed to restrict file access to the instance's filesystem, is bypassed, granting access to the entire system's filesystem with root privileges. This issue impacts system security and could lead to data exposure or system manipulation.

Recommendations Update Incus to version 6.23.0 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336

Related Identifiers

BDU:2026-07327

CVE-2026-33897

GHSA-83XR-5XXR-MH92

GO-2026-4881

OPENSUSE-SU-2026:10450-1

Affected Products

Incus

Red Os

CVE-2026-33897

Weakness Enumeration

Related Identifiers

Affected Products

References · 32