{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33945/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Incus"],"_cs_severities":["critical"],"_cs_tags":["incus","path-traversal","privilege-escalation","denial-of-service","CVE-2026-33945","linux"],"_cs_type":"advisory","_cs_vendors":["Incus"],"content_html":"\u003cp\u003eIncus, a system container and virtual machine manager, is susceptible to a critical vulnerability (CVE-2026-33945) affecting versions prior to 6.23.0. The vulnerability resides in the handling of systemd credentials passed to guest containers. An attacker can exploit this by crafting a configuration key (e.g., \u003ccode\u003esystemd.credential.../../../../../../root/.bashrc\u003c/code\u003e) containing path traversal sequences, causing Incus to write outside the intended \u003ccode\u003ecredentials\u003c/code\u003e directory. This occurs because Incus insufficiently validates the \u003ccode\u003esystemd.credential.XYZ\u003c/code\u003e syntax, allowing the \u003ccode\u003eXYZ\u003c/code\u003e portion to include periods and traverse the filesystem. While direct data reading is prevented, the ability to write arbitrary files as root grants attackers privilege escalation and denial-of-service capabilities. Users should upgrade to version 6.23.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Incus instance running a version prior to 6.23.0.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the Incus instance, potentially through existing vulnerabilities or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious configuration key using the \u003ccode\u003esystemd.credential.XYZ\u003c/code\u003e syntax, embedding path traversal sequences (e.g., \u003ccode\u003esystemd.credential.../../../../../../root/.bashrc\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sets the crafted configuration key within the Incus instance's configuration.\u003c/li\u003e\n\u003cli\u003eIncus attempts to write the systemd credential data to the specified path, which, due to the path traversal, resolves to an arbitrary location on the host filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a critical system file (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e/etc/passwd\u003c/code\u003e) with malicious content, leveraging root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the overwritten file (e.g., by logging in as root, starting a new shell, or restarting a service).\u003c/li\u003e\n\u003cli\u003eThe attacker gains escalated privileges or causes a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33945 allows attackers to gain root privileges on the Incus host system. This can lead to complete system compromise, including data theft, modification, or destruction. Furthermore, attackers can leverage this vulnerability to cause a denial of service by overwriting critical system files. The severity is high due to the ease of exploitation and the potential for significant impact on affected systems. While there is no public report on the number of victims, any organization using vulnerable versions of Incus is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Incus to version 6.23.0 or later to patch CVE-2026-33945.\u003c/li\u003e\n\u003cli\u003eImplement filesystem monitoring for unexpected writes to sensitive system directories (e.g., \u003ccode\u003e/root\u003c/code\u003e, \u003ccode\u003e/etc\u003c/code\u003e) to detect potential exploitation attempts. Deploy the provided Sigma rule to detect suspicious file modifications.\u003c/li\u003e\n\u003cli\u003eEnable audit logging on Incus configuration files to monitor for unauthorized changes. Deploy the provided Sigma rule to detect unauthorized changes to incus configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-incus-path-traversal/","summary":"A path traversal vulnerability in Incus versions prior to 6.23.0 (CVE-2026-33945) allows an attacker to write arbitrary files as root, leading to privilege escalation and denial of service by crafting a malicious systemd credential path.","title":"Incus Path Traversal Vulnerability (CVE-2026-33945)","url":"https://feed.craftedsignal.io/briefs/2024-01-incus-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-33945","version":"https://jsonfeed.org/version/1.1"}