Detect CVE-2026-48749: Incus Arbitrary File Read/Write via rootfs Symlink in Malicious Image in Splunk
Detects exploitation of CVE-2026-48749, a critical vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. Attackers can craft a malicious container image with symlinks in the rootfs/ directory that resolve to host filesystem paths, enabling arbitrary file read and write on the underlying host. This constitutes a container escape primitive and may lead to full host compromise. CVSS 9.9 with public PoC available.
MITRE ATT&CK
SPL Detection Query
index=linux sourcetype IN (syslog, auditd, osquery) earliest=-24h
| eval is_incus_proc=if(match(process, "incusd|incus"), 1, 0)
| eval is_rootfs_path=if(match(file_path, "\/var\/lib\/incus.*rootfs|\/.local\/share\/incus.*rootfs"), 1, 0)
| eval is_sensitive_host_path=if(match(file_path, "\/etc\/passwd|\/etc\/shadow|\/etc\/sudoers|\/root\/\.ssh|\/proc\/|\/sys\/"), 1, 0)
| eval symlink_created=if(match(syscall, "symlink|symlinkat") AND is_rootfs_path=1, 1, 0)
| eval host_escape=if(is_incus_proc=1 AND is_sensitive_host_path=1, 1, 0)
| where symlink_created=1 OR host_escape=1
| eval alert_type=case(
symlink_created=1 AND host_escape=1, "CRITICAL: Rootfs symlink AND host path access by incusd",
symlink_created=1, "HIGH: Symlink created in Incus rootfs directory",
host_escape=1, "HIGH: incusd accessing sensitive host path",
true(), "INFO"
)
| stats count AS event_count, values(file_path) AS affected_paths, values(alert_type) AS alert_types, dc(file_path) AS unique_paths by host, process, user
| where event_count > 0
| eval cve="CVE-2026-48749"
| table _time, host, process, user, event_count, unique_paths, affected_paths, alert_types, cve
| sort -event_countSplunk detection for CVE-2026-48749 targeting auditd and osquery telemetry to identify symlink creation within Incus rootfs directories and incusd process access to sensitive host paths.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate container administrators creating bind-mount symlinks within approved image workflows
- Automated CI/CD pipelines building and importing Incus images with complex rootfs layouts
- Incus daemon performing routine housekeeping on container storage directories
- Security scanning tools traversing container rootfs for vulnerability assessment
Other platforms for CVE-2026-48749
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create malicious Incus image with rootfs symlink targeting /etc/passwd
Expected signal: auditd syscall events for symlink() within /var/lib/incus/*/rootfs/; file open events on host /etc/passwd initiated by incusd process; DeviceFileEvents showing incusd accessing /etc/passwd outside container namespace
- Test 2Exploit rootfs symlink for host SSH authorized_keys write
Expected signal: File write event on host /root/.ssh/authorized_keys attributed to incusd or container init process; auditd records showing write() syscall to /root/.ssh/authorized_keys from incusd context; FIM alert on /root/.ssh/authorized_keys modification
- Test 3Read host /etc/shadow via rootfs symlink for credential harvesting
Expected signal: File read event on host /etc/shadow initiated by incusd process context; auditd openat() syscall on /etc/shadow attributed to container namespace but resolved to host inode; audit log entry for privileged file access outside expected paths
Unlock Pro Content
Get the full detection package for CVE-2026-48749 including response playbook, investigation guide, and atomic red team tests.