{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/incus/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["incus","image-poisoning","simplestreams"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability in Incus allows for image cache poisoning when downloading images from simplestreams servers. The vulnerability stems from the lack of validation of the combined fingerprint of image files, potentially leading to a compromised image being served to other users. This issue affects Incus servers that have not configured \u003ccode\u003erestricted.image.servers\u003c/code\u003e or equivalent firewall rules, making them susceptible to this attack. An attacker with access to such an Incus environment can manipulate the image server to serve altered image files under the same fingerprint, poisoning the global image cache. This attack can be particularly effective on systems that frequently deploy new Incus instances, such as CI or build servers, allowing an attacker to inject malicious code into unsuspecting users\u0026rsquo; instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to an Incus server that lacks \u003ccode\u003erestricted.image.servers\u003c/code\u003e configuration or equivalent network restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the legitimate image server (\u003ccode\u003eimages.linuxcontainers.org\u003c/code\u003e) for newly published images.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a compromised image with the same fingerprint as the legitimate image on an attacker-controlled server (\u003ccode\u003eTESTSERVER\u003c/code\u003e). This involves modifying the \u003ccode\u003erootfs.squashfs\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker updates the \u003ccode\u003eimages.json\u003c/code\u003e file on their server to reflect the changes made to the \u003ccode\u003erootfs.squashfs\u003c/code\u003e file, including the new SHA256 hash and size.\u003c/li\u003e\n\u003cli\u003eThe attacker configures their server to serve the modified image files and the updated \u003ccode\u003eimages.json\u003c/code\u003e file over HTTPS.\u003c/li\u003e\n\u003cli\u003eThe attacker waits for a target user on the vulnerable Incus server to request the legitimate image using \u003ccode\u003eincus image copy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Incus server downloads the compromised image from the attacker-controlled server (\u003ccode\u003eTESTSERVER\u003c/code\u003e) due to the lack of combined fingerprint validation.\u003c/li\u003e\n\u003cli\u003eThe next time the target user launches a new instance using the compromised image (e.g., \u003ccode\u003eincus launch images:debian/trixie\u003c/code\u003e), the attacker\u0026rsquo;s injected code is executed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to image cache poisoning, potentially affecting multiple users on the same Incus server. The attacker can inject malicious code into the compromised image, leading to arbitrary code execution within the user\u0026rsquo;s Incus instances. The impact is most significant in multi-tenant environments where multiple users share the same Incus server, as a single compromised image can affect multiple users and their workloads.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement \u003ccode\u003erestricted.image.servers\u003c/code\u003e in project configuration to restrict image sources to trusted servers. This mitigates the risk of downloading images from attacker-controlled servers (reference: Overview).\u003c/li\u003e\n\u003cli\u003eImplement network restrictions through firewalling or an HTTP proxy server to prevent Incus servers from accessing untrusted image servers (reference: Overview).\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from Incus servers to detect connections to unauthorized or suspicious image servers using the \u003ccode\u003eDetect Suspicious Incus Image Download\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect Modified SquashFS Files\u003c/code\u003e Sigma rule to identify instances using potentially tampered image files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T17:08:07Z","date_published":"2026-03-27T17:08:07Z","id":"/briefs/2024-01-incus-image-poisoning/","summary":"A vulnerability exists in Incus where it does not properly verify the combined fingerprint when downloading images from simplestreams servers, allowing an attacker to perform image cache poisoning and potentially expose other tenants to running attacker-controlled images.","title":"Incus Image Cache Poisoning Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-incus-image-poisoning/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["incus","template-injection","privilege-escalation","CVE-2026-33897","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIncus, a system container and virtual machine manager, is vulnerable to arbitrary read and write access as root due to a flaw in its instance template handling. Prior to version 6.23.0, the application lacks proper chroot isolation when processing pongo2 templates. These templates, intended for file templating within instances during their lifecycle, bypass the expected chroot, granting access to the entire host filesystem with root privileges. This vulnerability, identified as CVE-2026-33897…\u003c/p\u003e\n","date_modified":"2026-03-26T23:16:20Z","date_published":"2026-03-26T23:16:20Z","id":"/briefs/2024-01-incus-template-vuln/","summary":"A vulnerability in Incus versions prior to 6.23.0 allows for arbitrary read and write access as root on the host server by exploiting a missing chroot isolation in the pongo2 template engine.","title":"Incus Instance Template Vulnerability CVE-2026-33897","url":"https://feed.craftedsignal.io/briefs/2024-01-incus-template-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Incus","version":"https://jsonfeed.org/version/1.1"}