CVE-2026-33945

CRITICAL 10.0

Abitrary file write through systemd-creds option

CVSS Score

10.0

EPSS Score

0.1%

EPSS Percentile

18th

Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.

CWE	CWE-22
Vendor	lxc
Product	incus
Published	Mar 26, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for lxc incus

Be the first to know when new critical vulnerabilities affecting lxc incus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

lxc / incus

< 6.23.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f