{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33711", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.747Z", "datePublished": "2026-03-26T22:37:29.746Z", "dateUpdated": "2026-03-26T22:37:29.746Z"}, "containers": {"cna": {"title": "Incus vulnerable to local privilege escalation through VM screenshot path", "problemTypes": [{"descriptions": [{"cweId": "CWE-61", "lang": "en", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x"}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"version": "< 6.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T22:37:29.746Z"}, "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a \"Permission denied\" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue."}], "source": {"advisory": "GHSA-q9vp-3wcg-8p4x", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a \"Permission denied\" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue."}], "id": "CVE-2026-33711", "lastModified": "2026-03-26T23:16:20.423", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T23:16:20.423", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-61"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.23.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "incus", "source": "cna", "vendor": "lxc"}, "product": "incus", "vendor": "lxc"}], "analysis": {"en": {"generated_at": "2026-03-27T06:28:22.882675+00:00", "value": {"mitigation_remediation": ["Upgrade Incus to version 6.23.0 or later to remove the vulnerable screenshot handling logic.", "Verify that the kernel\u2019s protected_symlinks feature is enabled (fs.protected_symlinks=1); enabling it prevents the attack path that modifies arbitrary files.", "If an upgrade is not immediately possible, restrict write permissions for unprivileged users to the /tmp directory or remove the directory as a temporary protection measure."], "summary": {"action": "Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Incus from the LXC project. All releases prior to 6.23.0 are vulnerable. The problem arises on Linux systems where the Incus API writes screenshots to predictable /tmp paths and the kernel\u2019s protected_symlinks feature is disabled.", "description_and_impact": "Incus, a system container and virtual machine manager, allows retrieval of VM screenshots via an API that writes to a temporary file in /tmp. Versions before 6.23.0 generate predictable paths for this temporary file, permitting an attacker with local access to create a pre\u2011existing symbolic link at that path. When protected_symlinks is disabled, Incus truncates the target file and alters its mode and permissions, effectively overwriting arbitrary files. This can lead to denial of service or local privilege escalation. The vulnerability is a classic path traversal and insecure temporary file issue, classified as CWE\u201161.", "risk_and_exploitability": "The CVSS score is 4.7, indicating low to moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers require local system access and the ability to create symlinks in /tmp. On systems with the default (enabled) protected_symlinks setting, the risk is mitigated, but on rare distributions where the feature is purposely disabled, local users can leverage the path to erase and overwrite arbitrary files, potentially gaining elevated privileges or causing a denial of service."}}}}, "created": "2026-03-27T08:31:30.209847+00:00", "updated": "2026-03-27T09:22:54.417788+00:00", "vendors": ["lxc", "lxc$PRODUCT$incus"]}