CVE-2026-23953

Name of the Vulnerable Software and Affected Versions Incus versions 6.20.0 and below

Description Incus is a system container and virtual machine manager. A user with the ability to launch a container with a custom YAML configuration can create an environment variable containing newlines. This can be used to add additional configuration items in the container’s lxc.conf due to newline injection, potentially allowing the addition of arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step. The lxc.conf file is affected.

Recommendations Versions prior to 6.20.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.