Incus Argument Injection Vulnerability Leads to Arbitrary File Write and Command Execution
An argument injection vulnerability (CVE-2026-48755) exists in Incus due to improper validation of the user-provided backup compression algorithm, allowing an authenticated attacker to inject arbitrary arguments into the command line, leading to an arbitrary file write on the host and subsequent arbitrary command execution.
A critical vulnerability, CVE-2026-48755, affects Incus versions prior to 7.2.0, stemming from an argument injection flaw in its backup compression algorithm processing. The flaw allows an authenticated attacker to manipulate the compression_algorithm parameter, injecting arbitrary command-line arguments into the zstd compressor execution. This enables an arbitrary file write (AFW) operation on the host system where Incus is running. Attackers can leverage this AFW to write malicious content to sensitive locations, such as cron job directories (/etc/cron.d/), thereby achieving arbitrary command execution (ACE). This vulnerability is particularly dangerous as it provides a pathway from a compromised Incus instance to full system compromise of the host. Defenders should prioritize patching and monitoring for suspicious zstd command executions and unexpected file writes in system configuration paths.
Attack Chain
- An authenticated attacker (e.g., a user with Incus client certificate access to the API) gains control over an Incus instance.
- The attacker uploads a malicious payload (e.g., a reverse shell script or system command) into the compromised Incus instance, accessible from the host filesystem.
- The attacker crafts a malicious
compression_algorithmstring containing argument injection payloads, such aszstd -d -f --pass-through -o /etc/cron.d/incus-zstd-rce -- /var/lib/incus/.../payload. - The attacker initiates a direct backup request to the Incus API for the compromised instance, specifying the crafted malicious
compression_algorithm. - Incus, due to improper validation, constructs and executes a command similar to
exec.Command("zstd", "-c", "-d", "-f", "--pass-through", "-o", "/etc/cron.d/incus-zstd-rce", "--", "/var/lib/incus/.../payload"). - The
zstdcommand's argument injection leads to an arbitrary file write, copying the attacker-controlled payload from within the Incus instance to/etc/cron.d/incus-zstd-rceon the host system. - The newly created cron job on the host system is executed by the cron daemon at the specified interval, resulting in arbitrary command execution on the Incus host.
- The executed command establishes persistence or performs further malicious actions, such as data exfiltration or deploying additional malware.
Impact
The successful exploitation of CVE-2026-48755 leads to an arbitrary file write on the host operating system, which attackers can immediately leverage for arbitrary command execution. This allows a privileged user within an Incus instance to escalate privileges to root on the underlying host, circumventing containerization. Such a compromise grants the attacker full control over the Incus host, potentially impacting all other instances running on that server, and facilitating lateral movement within the network. This vulnerability affects Incus users running versions prior to 7.2.0, with potential for widespread compromise in environments where Incus is used for virtualization or container management.
Recommendation
- Patch CVE-2026-48755 by upgrading all Incus installations to version 7.2.0 or higher immediately.
- Deploy the provided Sigma rule "CVE-2026-48755: Incus Zstd Argument Injection Attempt" to your SIEM to detect suspicious execution of
zstdwith potential argument injection patterns. - Enable
process_creationlogging for Linux systems to capture command-line arguments of processes likezstd. - Monitor for the creation of new files in system cron directories, specifically
/etc/cron.d/incus-zstd-rce, using file integrity monitoring orfile_eventlogging, as this indicates a successful arbitrary file write. - Block the arbitrary file write target
/etc/cron.d/incus-zstd-rcefrom being created by non-system processes if possible, or create afile_eventrule to alert on its creation.
Detection coverage 2
CVE-2026-48755: Incus Zstd Argument Injection Attempt
criticalDetects CVE-2026-48755 exploitation — suspicious command line arguments passed to 'zstd' indicative of argument injection attempting arbitrary file write, likely targeting /etc/cron.d.
CVE-2026-48755: Incus Host Cron Job Creation
highDetects CVE-2026-48755 exploitation — suspicious file creation or modification in '/etc/cron.d/' by a non-standard process, indicating a potential arbitrary file write from Incus or another service.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
file_path
| Type | Value |
|---|---|
| file_path | /etc/cron.d/incus-zstd-rce |
| file_path | /var/lib/incus/.../payload |