{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/incus-vulnerable--7.2.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Incus (vulnerable: \u003c 7.2.0)"],"_cs_severities":["critical"],"_cs_tags":["argument-injection","arbitrary-file-write","remote-code-execution","container-escape","linux"],"_cs_type":"advisory","_cs_vendors":["LXC"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-48755, affects Incus versions prior to 7.2.0, stemming from an argument injection flaw in its backup compression algorithm processing. The flaw allows an authenticated attacker to manipulate the \u003ccode\u003ecompression_algorithm\u003c/code\u003e parameter, injecting arbitrary command-line arguments into the \u003ccode\u003ezstd\u003c/code\u003e compressor execution. This enables an arbitrary file write (AFW) operation on the host system where Incus is running. Attackers can leverage this AFW to write malicious content to sensitive locations, such as cron job directories (\u003ccode\u003e/etc/cron.d/\u003c/code\u003e), thereby achieving arbitrary command execution (ACE). This vulnerability is particularly dangerous as it provides a pathway from a compromised Incus instance to full system compromise of the host. Defenders should prioritize patching and monitoring for suspicious \u003ccode\u003ezstd\u003c/code\u003e command executions and unexpected file writes in system configuration paths.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker (e.g., a user with Incus client certificate access to the API) gains control over an Incus instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious payload (e.g., a reverse shell script or system command) into the compromised Incus instance, accessible from the host filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ecompression_algorithm\u003c/code\u003e string containing argument injection payloads, such as \u003ccode\u003ezstd -d -f --pass-through -o /etc/cron.d/incus-zstd-rce -- /var/lib/incus/.../payload\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a direct backup request to the Incus API for the compromised instance, specifying the crafted malicious \u003ccode\u003ecompression_algorithm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIncus, due to improper validation, constructs and executes a command similar to \u003ccode\u003eexec.Command(\u0026quot;zstd\u0026quot;, \u0026quot;-c\u0026quot;, \u0026quot;-d\u0026quot;, \u0026quot;-f\u0026quot;, \u0026quot;--pass-through\u0026quot;, \u0026quot;-o\u0026quot;, \u0026quot;/etc/cron.d/incus-zstd-rce\u0026quot;, \u0026quot;--\u0026quot;, \u0026quot;/var/lib/incus/.../payload\u0026quot;)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ezstd\u003c/code\u003e command's argument injection leads to an arbitrary file write, copying the attacker-controlled payload from within the Incus instance to \u003ccode\u003e/etc/cron.d/incus-zstd-rce\u003c/code\u003e on the host system.\u003c/li\u003e\n\u003cli\u003eThe newly created cron job on the host system is executed by the cron daemon at the specified interval, resulting in arbitrary command execution on the Incus host.\u003c/li\u003e\n\u003cli\u003eThe executed command establishes persistence or performs further malicious actions, such as data exfiltration or deploying additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-48755 leads to an arbitrary file write on the host operating system, which attackers can immediately leverage for arbitrary command execution. This allows a privileged user within an Incus instance to escalate privileges to root on the underlying host, circumventing containerization. Such a compromise grants the attacker full control over the Incus host, potentially impacting all other instances running on that server, and facilitating lateral movement within the network. This vulnerability affects Incus users running versions prior to 7.2.0, with potential for widespread compromise in environments where Incus is used for virtualization or container management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-48755 by upgrading all Incus installations to version 7.2.0 or higher immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;CVE-2026-48755: Incus Zstd Argument Injection Attempt\u0026quot; to your SIEM to detect suspicious execution of \u003ccode\u003ezstd\u003c/code\u003e with potential argument injection patterns.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eprocess_creation\u003c/code\u003e logging for Linux systems to capture command-line arguments of processes like \u003ccode\u003ezstd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new files in system cron directories, specifically \u003ccode\u003e/etc/cron.d/incus-zstd-rce\u003c/code\u003e, using file integrity monitoring or \u003ccode\u003efile_event\u003c/code\u003e logging, as this indicates a successful arbitrary file write.\u003c/li\u003e\n\u003cli\u003eBlock the arbitrary file write target \u003ccode\u003e/etc/cron.d/incus-zstd-rce\u003c/code\u003e from being created by non-system processes if possible, or create a \u003ccode\u003efile_event\u003c/code\u003e rule to alert on its creation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:35:11Z","date_published":"2026-07-03T10:35:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-incus-argument-injection-afw-ace/","summary":"An argument injection vulnerability (CVE-2026-48755) exists in Incus due to improper validation of the user-provided backup compression algorithm, allowing an authenticated attacker to inject arbitrary arguments into the command line, leading to an arbitrary file write on the host and subsequent arbitrary command execution.","title":"Incus Argument Injection Vulnerability Leads to Arbitrary File Write and Command Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-incus-argument-injection-afw-ace/"}],"language":"en","title":"CraftedSignal Threat Feed - Incus (Vulnerable: \u003c 7.2.0)","version":"https://jsonfeed.org/version/1.1"}