{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33945", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-03-26T23:27:45.711Z", "dateUpdated": "2026-03-27T20:00:08.359Z"}, "containers": {"cna": {"title": "Abitrary file write through systemd-creds option", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f"}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"version": "< 6.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:27:45.711Z"}, "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue."}], "source": {"advisory": "GHSA-q4q8-7f2j-9h9f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:09:43.149002Z", "id": "CVE-2026-33945", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:00:08.359Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33945", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T14:09:43.149002Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:09:50.207Z"}}], "cna": {"title": "Abitrary file write through systemd-creds option", "source": {"advisory": "GHSA-q4q8-7f2j-9h9f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"status": "affected", "version": "< 6.23.0"}]}], "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f", "name": "https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:27:45.711Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33945", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:00:08.359Z", "dateReserved": "2026-03-24T19:50:52.105Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T23:27:45.711Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue."}], "id": "CVE-2026-33945", "lastModified": "2026-03-27T00:16:23.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T00:16:23.633", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "incus: Incus: Privilege escalation and denial of service via path traversal in systemd credential configuration", "id": "2452054", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452054"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Incus, a system container and virtual machine manager. An attacker with the ability to configure Incus instances can exploit a path traversal vulnerability by manipulating the `systemd.credential` configuration key. This allows the attacker to write to arbitrary files as the root user, leading to both privilege escalation and denial of service within the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33945", "public_date": "2026-03-26T23:27:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33945\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33945\nhttps://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f"], "statement": "Critical: A path traversal vulnerability in Incus allows an attacker with the ability to configure Incus instances to write to arbitrary files as the root user. This can lead to privilege escalation and denial of service within the system. This issue affects Incus, which is available as a community project.", "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.23.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "incus", "source": "cna", "vendor": "lxc"}, "product": "incus", "vendor": "lxc"}], "analysis": {"en": {"generated_at": "2026-03-27T06:36:48.434028+00:00", "value": {"mitigation_remediation": ["Update Incus to version 6.23.0 or later.", "Verify that all credential configuration keys contain only valid names without any traversal patterns.", "Audit current Incus deployments for any legacy credential keys that might expose traversal sequences.", "If upgrade is not immediately possible, review and restrict the ability to modify container configuration to trusted personnel only."], "summary": {"action": "Immediate Patch", "impact": "Privilege escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects instances of the Incus container and VM manager produced by the lxc:incus vendor. Any installation of Incus prior to version 6.23.0 is vulnerable. Versions 6.23.0 and newer contain a fix that sanitizes credential keys.", "description_and_impact": "The vulnerability allows an attacker to write to arbitrary files within the host filesystem by crafting a specially named credential configuration key. Because the key can include directory traversal sequences, Incus writes the specified data outside the intended credentials directory, allowing the writing of any file as the root user. This results in full privilege escalation and can also be used to cause denial of service by corrupting critical host files. The weakness corresponds to CWE\u201122, an absolute path traversal flaw.", "risk_and_exploitability": "The CVSS score is 10, indicating the highest possible severity. Although an official EPSS score is not yet available, the absence of any mitigation in the strategy suggests that exploitation is straightforward for a local attacker who can influence container configuration. The vulnerability is not listed in the CISA KEV catalog, but its potential for root access and the lack of traffic shaping make it a high\u2011priority target. The attack vector is inferred to be local or network\u2011bound to the Incus management interface, depending on the host configuration."}}}}, "created": "2026-03-27T08:31:24.945508+00:00", "updated": "2026-03-27T09:22:47.503015+00:00", "vendors": ["lxc", "lxc$PRODUCT$incus"]}