<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CVE-2026-33945 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33945/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 28 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33945/feed.xml" rel="self" type="application/rss+xml"/><item><title>Incus Path Traversal Vulnerability (CVE-2026-33945)</title><link>https://feed.craftedsignal.io/briefs/2024-01-incus-path-traversal/</link><pubDate>Sun, 28 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-incus-path-traversal/</guid><description>A path traversal vulnerability in Incus versions prior to 6.23.0 (CVE-2026-33945) allows an attacker to write arbitrary files as root, leading to privilege escalation and denial of service by crafting a malicious systemd credential path.</description><content:encoded><![CDATA[<p>Incus, a system container and virtual machine manager, is susceptible to a critical vulnerability (CVE-2026-33945) affecting versions prior to 6.23.0. The vulnerability resides in the handling of systemd credentials passed to guest containers. An attacker can exploit this by crafting a configuration key (e.g., <code>systemd.credential.../../../../../../root/.bashrc</code>) containing path traversal sequences, causing Incus to write outside the intended <code>credentials</code> directory. This occurs because Incus insufficiently validates the <code>systemd.credential.XYZ</code> syntax, allowing the <code>XYZ</code> portion to include periods and traverse the filesystem. While direct data reading is prevented, the ability to write arbitrary files as root grants attackers privilege escalation and denial-of-service capabilities. Users should upgrade to version 6.23.0 or later to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an Incus instance running a version prior to 6.23.0.</li>
<li>The attacker gains access to the Incus instance, potentially through existing vulnerabilities or compromised credentials.</li>
<li>Attacker crafts a malicious configuration key using the <code>systemd.credential.XYZ</code> syntax, embedding path traversal sequences (e.g., <code>systemd.credential.../../../../../../root/.bashrc</code>).</li>
<li>The attacker sets the crafted configuration key within the Incus instance's configuration.</li>
<li>Incus attempts to write the systemd credential data to the specified path, which, due to the path traversal, resolves to an arbitrary location on the host filesystem.</li>
<li>The attacker overwrites a critical system file (e.g., <code>.bashrc</code>, <code>/etc/passwd</code>) with malicious content, leveraging root privileges.</li>
<li>The attacker triggers the execution of the overwritten file (e.g., by logging in as root, starting a new shell, or restarting a service).</li>
<li>The attacker gains escalated privileges or causes a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33945 allows attackers to gain root privileges on the Incus host system. This can lead to complete system compromise, including data theft, modification, or destruction. Furthermore, attackers can leverage this vulnerability to cause a denial of service by overwriting critical system files. The severity is high due to the ease of exploitation and the potential for significant impact on affected systems. While there is no public report on the number of victims, any organization using vulnerable versions of Incus is potentially at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Incus to version 6.23.0 or later to patch CVE-2026-33945.</li>
<li>Implement filesystem monitoring for unexpected writes to sensitive system directories (e.g., <code>/root</code>, <code>/etc</code>) to detect potential exploitation attempts. Deploy the provided Sigma rule to detect suspicious file modifications.</li>
<li>Enable audit logging on Incus configuration files to monitor for unauthorized changes. Deploy the provided Sigma rule to detect unauthorized changes to incus configuration files.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>incus</category><category>path-traversal</category><category>privilege-escalation</category><category>denial-of-service</category><category>CVE-2026-33945</category><category>linux</category></item></channel></rss>