PT-2026-53013 · Incus · Incus
Published
2026-06-26
·
Updated
2026-07-07
·
CVE-2026-48752
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Incus (affected versions not specified)
Description
A flaw exists where a specially crafted container image or instance backup can be used to read or create and write arbitrary files on the host, potentially leading to arbitrary command execution. The issue occurs because the software fails to reject a top-level
templates symlink during tar extraction in internal/server/storage/utils.go and shared/archive/archive.go. Additionally, for instance backups, the rsync.LocalCopy function in internal/server/storage/drivers/driver dir volumes.go uses the -a argument without the --safe-links flag, allowing the same symlink exploitation. This enables a malicious actor to map the templates directory to an arbitrary host directory, such as /etc/cron.d, to modify system files.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Incus