Vulnerabilities ›

CVE-2026-33711

High ⚡ Exploit Available

CWE-61 — Weakness Type

                    Published: Mar 26, 2026                      ·  Modified: Apr 2, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue.

🤖 AI Executive Summary

CVE-2026-33711 is a local privilege escalation vulnerability in Incus versions prior to 6.23.0 that exploits predictable temporary file paths in the VM screenshot API. An attacker with local system access can create symlinks to manipulate arbitrary files, potentially leading to denial of service or privilege escalation on systems with disabled symlink protection. The vulnerability has an available exploit and affects containerization infrastructure commonly used in Saudi cloud and virtualization environments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 28, 2026 13:01

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations operating containerized infrastructure and cloud services, particularly: (1) Government entities (NCA, CITC) running Incus-based virtualization for critical systems; (2) Banking sector (SAMA-regulated institutions, ARAMCO IT) using container orchestration for financial services; (3) Telecom providers (STC, Mobily, Zain) managing network virtualization; (4) Healthcare organizations (MOH) running virtual medical imaging systems; (5) Energy sector (ARAMCO, SEC) operating critical infrastructure on virtualized platforms. The risk is elevated in multi-tenant environments where local access by privileged users or compromised containers could lead to lateral movement and system compromise.

🏢 Affected Saudi Sectors

Government (NCA, CITC) Banking and Financial Services (SAMA-regulated) Energy (ARAMCO, SEC) Telecommunications (STC, Mobily, Zain) Healthcare (MOH) Cloud Service Providers Data Centers

🎯 MITRE ATT&CK Techniques

T1548.004 - Abuse Elevation Control Mechanism: Linux/Unix Privilege Escalation T1036.006 - Masquerading: Match Legitimate Name or Location T1083 - File and Directory Discovery T1222.002 - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification T1070.006 - Indicator Removal: Timestomp T1021.004 - Remote Services: SSH

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Incus installations in your environment using: incus --version

2. Audit systems with Incus versions < 6.23.0 for exposure

3. Restrict local system access and container escape vectors

4. Review /tmp directory permissions and monitor for suspicious symlink creation



PATCHING GUIDANCE:

1. Upgrade Incus to version 6.23.0 or later immediately

2. For systems unable to patch immediately, disable VM screenshot API functionality if not required

3. Verify kernel parameter net.ipv4.conf.all.protected_symlinks = 1 is enabled (default on most systems)

4. Test protected_symlinks status: cat /proc/sys/fs/protected_symlinks (should return 1)



COMPENSATING CONTROLS:

1. Implement strict file system permissions on /tmp (mode 1777 with sticky bit)

2. Monitor /tmp for suspicious symlink creation using auditd rules:

   - auditctl -w /tmp -p wa -k tmp_monitoring

3. Restrict local access to Incus API endpoints

4. Implement container security policies to prevent container-to-host access

5. Use AppArmor or SELinux profiles to restrict Incus process capabilities



DETECTION RULES:

1. Monitor for symlink creation in /tmp: auditctl -a always,exit -F dir=/tmp -F perm=w -F auid>=1000 -k symlink_creation

2. Alert on Incus screenshot API calls from non-standard sources

3. Monitor file permission/ownership changes on critical system files

4. Track failed file access attempts with EACCES errors in Incus logs

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع تثبيتات Incus في بيئتك باستخدام: incus --version

2. قم بتدقيق الأنظمة التي تحتوي على إصدارات Incus < 6.23.0 للتعرض

3. قيد الوصول المحلي للنظام وناقلات هروب الحاويات

4. راجع أذونات دليل /tmp وراقب إنشاء الروابط الرمزية المريبة

إرشادات التصحيح:

1. قم بترقية Incus إلى الإصدار 6.23.0 أو أحدث على الفور

2. بالنسبة للأنظمة غير القادرة على التصحيح فوراً، قم بتعطيل وظيفة واجهة برمجة تطبيقات لقطات الآلات الافتراضية إذا لم تكن مطلوبة

3. تحقق من أن معامل kernel net.ipv4.conf.all.protected_symlinks = 1 مفعل (الافتراضي على معظم الأنظمة)

4. اختبر حالة protected_symlinks: cat /proc/sys/fs/protected_symlinks (يجب أن يعود 1)

الضوابط البديلة:

1. تنفيذ أذونات نظام الملفات الصارمة على /tmp (الوضع 1777 مع sticky bit)

2. مراقبة /tmp لإنشاء الروابط الرمزية المريبة باستخدام قواعد auditd

3. تقييد الوصول المحلي إلى نقاط نهاية واجهة برمجة تطبيقات Incus

4. تنفيذ سياسات أمان الحاويات لمنع وصول الحاويات إلى المضيف

5. استخدام ملفات تعريف AppArmor أو SELinux لتقييد قدرات عملية Incus

قواعد الكشف:

1. مراقبة إنشاء الروابط الرمزية في /tmp

2. تنبيهات على استدعاءات واجهة برمجة تطبيقات لقطات Incus من مصادر غير قياسية

3. مراقبة تغييرات أذونات/ملكية الملفات على ملفات النظام الحرجة

4. تتبع محاولات الوصول إلى الملفات الفاشلة في سجلات Incus

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies ECC 2024 A.5.2.1 - User Registration and Access Rights Management ECC 2024 A.5.3.1 - Management of Privileged Access Rights ECC 2024 A.8.1.1 - Audit Logging ECC 2024 A.8.2.1 - Protection of Log Information ECC 2024 A.12.4.1 - Event Logging

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Hardware and Software Assets SAMA CSF PR.AC-1 - Access Control Policy SAMA CSF PR.AC-3 - Access Enforcement SAMA CSF PR.AC-4 - Access Rights Management SAMA CSF DE.CM-1 - System Monitoring SAMA CSF DE.AE-1 - Audit Logging

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access Control ISO 27001:2022 A.5.16 - Identification and Authentication ISO 27001:2022 A.5.17 - Access Rights ISO 27001:2022 A.8.15 - Logging ISO 27001:2022 A.8.16 - Monitoring Activities

🔗 References & Sources 2

🔗

https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x

security-advisories@github.com

Exploit Vendor Advisory

🔗

https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

linuxcontainers:incus

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-61

EPSS0.01%

Exploit ✓ Yes

Patch ✗ No

Published 2026-03-26

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available CWE-61

🏢 Vendor Advisories

🔗 https://github.com/lxc/incus/security/advisories/GHS... 🔗 https://github.com/lxc/incus/security/advisories/GHS...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-33711

💬 Comments

Introduce Yourself

Sign In Required