<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Incus (Vulnerable: &lt; 7.2.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/incus-vulnerable--7.2.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 10:35:11 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/incus-vulnerable--7.2.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Incus Argument Injection Vulnerability Leads to Arbitrary File Write and Command Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-incus-argument-injection-afw-ace/</link><pubDate>Fri, 03 Jul 2026 10:35:11 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-incus-argument-injection-afw-ace/</guid><description>An argument injection vulnerability (CVE-2026-48755) exists in Incus due to improper validation of the user-provided backup compression algorithm, allowing an authenticated attacker to inject arbitrary arguments into the command line, leading to an arbitrary file write on the host and subsequent arbitrary command execution.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-48755, affects Incus versions prior to 7.2.0, stemming from an argument injection flaw in its backup compression algorithm processing. The flaw allows an authenticated attacker to manipulate the <code>compression_algorithm</code> parameter, injecting arbitrary command-line arguments into the <code>zstd</code> compressor execution. This enables an arbitrary file write (AFW) operation on the host system where Incus is running. Attackers can leverage this AFW to write malicious content to sensitive locations, such as cron job directories (<code>/etc/cron.d/</code>), thereby achieving arbitrary command execution (ACE). This vulnerability is particularly dangerous as it provides a pathway from a compromised Incus instance to full system compromise of the host. Defenders should prioritize patching and monitoring for suspicious <code>zstd</code> command executions and unexpected file writes in system configuration paths.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker (e.g., a user with Incus client certificate access to the API) gains control over an Incus instance.</li>
<li>The attacker uploads a malicious payload (e.g., a reverse shell script or system command) into the compromised Incus instance, accessible from the host filesystem.</li>
<li>The attacker crafts a malicious <code>compression_algorithm</code> string containing argument injection payloads, such as <code>zstd -d -f --pass-through -o /etc/cron.d/incus-zstd-rce -- /var/lib/incus/.../payload</code>.</li>
<li>The attacker initiates a direct backup request to the Incus API for the compromised instance, specifying the crafted malicious <code>compression_algorithm</code>.</li>
<li>Incus, due to improper validation, constructs and executes a command similar to <code>exec.Command(&quot;zstd&quot;, &quot;-c&quot;, &quot;-d&quot;, &quot;-f&quot;, &quot;--pass-through&quot;, &quot;-o&quot;, &quot;/etc/cron.d/incus-zstd-rce&quot;, &quot;--&quot;, &quot;/var/lib/incus/.../payload&quot;)</code>.</li>
<li>The <code>zstd</code> command's argument injection leads to an arbitrary file write, copying the attacker-controlled payload from within the Incus instance to <code>/etc/cron.d/incus-zstd-rce</code> on the host system.</li>
<li>The newly created cron job on the host system is executed by the cron daemon at the specified interval, resulting in arbitrary command execution on the Incus host.</li>
<li>The executed command establishes persistence or performs further malicious actions, such as data exfiltration or deploying additional malware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-48755 leads to an arbitrary file write on the host operating system, which attackers can immediately leverage for arbitrary command execution. This allows a privileged user within an Incus instance to escalate privileges to root on the underlying host, circumventing containerization. Such a compromise grants the attacker full control over the Incus host, potentially impacting all other instances running on that server, and facilitating lateral movement within the network. This vulnerability affects Incus users running versions prior to 7.2.0, with potential for widespread compromise in environments where Incus is used for virtualization or container management.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-48755 by upgrading all Incus installations to version 7.2.0 or higher immediately.</li>
<li>Deploy the provided Sigma rule &quot;CVE-2026-48755: Incus Zstd Argument Injection Attempt&quot; to your SIEM to detect suspicious execution of <code>zstd</code> with potential argument injection patterns.</li>
<li>Enable <code>process_creation</code> logging for Linux systems to capture command-line arguments of processes like <code>zstd</code>.</li>
<li>Monitor for the creation of new files in system cron directories, specifically <code>/etc/cron.d/incus-zstd-rce</code>, using file integrity monitoring or <code>file_event</code> logging, as this indicates a successful arbitrary file write.</li>
<li>Block the arbitrary file write target <code>/etc/cron.d/incus-zstd-rce</code> from being created by non-system processes if possible, or create a <code>file_event</code> rule to alert on its creation.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>argument-injection</category><category>arbitrary-file-write</category><category>remote-code-execution</category><category>container-escape</category><category>linux</category></item></channel></rss>