CVE-2026-48749: Incus Arbitrary File Read/Write via rootfs Symlink in Malicious Image
Detects exploitation of CVE-2026-48749, a critical vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. Attackers can craft a malicious container image with symlinks in the rootfs/ directory that resolve to host filesystem paths, enabling arbitrary file read and write on the underlying host. This constitutes a container escape primitive and may lead to full host compromise. CVSS 9.9 with public PoC available.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- go
- Product
- github.com/lxc/incus/v7/cmd/incusd
- Versions
- < 7.2.0
Weakness (CWE)
Timeline
- Disclosed
- June 26, 2026
What is CVE-2026-48749 CVE-2026-48749: Incus Arbitrary File Read/Write via rootfs Symlink in Malicious Image?
CVE-2026-48749: Incus Arbitrary File Read/Write via rootfs Symlink in Malicious Image (CVE-2026-48749) maps to the Initial Access and Persistence and Privilege Escalation and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-48749: Incus Arbitrary File Read/Write via rootfs Symlink in Malicious Image, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceFileEvents, DeviceProcessEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SuspiciousIncusPaths = dynamic(['/etc/passwd', '/etc/shadow', '/etc/sudoers', '/root/.ssh', '/var/lib/incus', '/run/incus']);
let IncusImageImport = ProcessEvents
| where TimeGenerated > ago(24h)
| where ProcessCommandLine has_any ('incus image import', 'incusd', 'incus launch', 'incus init')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName;
let SymlinkActivity = DeviceFileEvents
| where TimeGenerated > ago(24h)
| where ActionType in ('FileCreated', 'FileModified')
| where FolderPath has 'rootfs'
| where FolderPath has_any ('/var/lib/incus', '/var/lib/lxc')
| project TimeGenerated, DeviceName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine;
let HostFileAccess = DeviceFileEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('incusd', 'lxd')
| where FolderPath has_any (SuspiciousIncusPaths)
| project TimeGenerated, DeviceName, FolderPath, FileName, ActionType, InitiatingProcessFileName;
IncusImageImport
| join kind=leftouter (SymlinkActivity) on DeviceName
| union HostFileAccess
| summarize EventCount=count(), Actions=make_set(ActionType), Paths=make_set(FolderPath) by DeviceName, bin(TimeGenerated, 5m)
| where EventCount > 0
| extend AlertDetail = strcat('Potential CVE-2026-48749 exploitation: Incus rootfs symlink traversal detected on ', DeviceName)
| project TimeGenerated, DeviceName, AlertDetail, EventCount, Actions, PathsDetects suspicious file access patterns from incusd process targeting host-sensitive paths, and monitors rootfs directory symlink creation during image import operations indicative of CVE-2026-48749 exploitation.
Data Sources
Required Tables
False Positives
- Legitimate Incus image imports that include rootfs symlinks for valid bind-mount configurations
- Administrative access to container storage paths by authorized infrastructure engineers
- Backup or snapshot operations that traverse container rootfs directories
- Incus upgrade or migration processes that touch host filesystem paths
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-48749: Incus Arbitrary File Read/Write via rootfs Symlink in Malicious Image (CVE-2026-48749) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-48749
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create malicious Incus image with rootfs symlink targeting /etc/passwd
Expected signal: auditd syscall events for symlink() within /var/lib/incus/*/rootfs/; file open events on host /etc/passwd initiated by incusd process; DeviceFileEvents showing incusd accessing /etc/passwd outside container namespace
- Test 2Exploit rootfs symlink for host SSH authorized_keys write
Expected signal: File write event on host /root/.ssh/authorized_keys attributed to incusd or container init process; auditd records showing write() syscall to /root/.ssh/authorized_keys from incusd context; FIM alert on /root/.ssh/authorized_keys modification
- Test 3Read host /etc/shadow via rootfs symlink for credential harvesting
Expected signal: File read event on host /etc/shadow initiated by incusd process context; auditd openat() syscall on /etc/shadow attributed to container namespace but resolved to host inode; audit log entry for privileged file access outside expected paths
Unlock Pro Content
Get the full detection package for CVE-2026-48749 including response playbook, investigation guide, and atomic red team tests.