CVE-2026-48749 Elastic Security · Elastic

Detect CVE-2026-48749: Incus Arbitrary File Read/Write via rootfs Symlink in Malicious Image in Elastic Security

Detects exploitation of CVE-2026-48749, a critical vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. Attackers can craft a malicious container image with symlinks in the rootfs/ directory that resolve to host filesystem paths, enabling arbitrary file read and write on the underlying host. This constitutes a container escape primitive and may lead to full host compromise. CVSS 9.9 with public PoC available.

MITRE ATT&CK

Tactic
Initial Access Persistence Privilege Escalation Defense Evasion

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=10m
  [file where event.action in ("creation", "modification") and
   file.path : ("/var/lib/incus/*/rootfs/*", "*/.local/share/incus/*/rootfs/*") and
   process.name in ("incusd", "incus")]
  [file where event.action in ("creation", "modification", "access") and
   file.path : ("/etc/passwd", "/etc/shadow", "/etc/sudoers", "/root/.ssh/*", "/etc/crontab", "/etc/cron.d/*") and
   process.name in ("incusd", "incus", "lxd")]
critical severity high confidence

Elastic EQL sequence detection correlating rootfs directory file activity with subsequent sensitive host file access by Incus processes, indicating potential symlink escape exploitation.

Data Sources

Elastic AgentAuditbeatFilebeat

Required Tables

logs-endpoint.events.file-*auditbeat-*

False Positives & Tuning

  • Legitimate container image build processes that manipulate rootfs followed by planned host integration
  • Incus daemon version upgrades that touch both storage paths and system configuration files
  • Automated backup solutions that access container rootfs and host paths in sequence
  • Security hardening scripts that inspect both container and host filesystem state

Other platforms for CVE-2026-48749

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create malicious Incus image with rootfs symlink targeting /etc/passwd

    Expected signal: auditd syscall events for symlink() within /var/lib/incus/*/rootfs/; file open events on host /etc/passwd initiated by incusd process; DeviceFileEvents showing incusd accessing /etc/passwd outside container namespace

  2. Test 2Exploit rootfs symlink for host SSH authorized_keys write

    Expected signal: File write event on host /root/.ssh/authorized_keys attributed to incusd or container init process; auditd records showing write() syscall to /root/.ssh/authorized_keys from incusd context; FIM alert on /root/.ssh/authorized_keys modification

  3. Test 3Read host /etc/shadow via rootfs symlink for credential harvesting

    Expected signal: File read event on host /etc/shadow initiated by incusd process context; auditd openat() syscall on /etc/shadow attributed to container namespace but resolved to host inode; audit log entry for privileged file access outside expected paths

Last updated: 2026-06-27 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-48749 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1611Escape to HostT1055Process InjectionT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections