CVE-2026-48750

Incus exec-output Symlink Arbitrary File Write on Host (CVE-2026-48750)

Privilege Escalation Credential Access Execution Last updated:

CVE-2026-48750 is a critical arbitrary file write vulnerability (CVSS 9.9) in Incus container/VM manager (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. A crafted container image can place a symlink at the exec-output path, causing incusd to write attacker-controlled content to arbitrary locations on the host filesystem. This enables container escape leading to full host compromise. A public PoC is available.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
go
Product
github.com/lxc/incus/v7/cmd/incusd
Versions
< 7.2.0

Weakness (CWE)

CWE-73

Timeline

Disclosed
June 26, 2026

CVSS

9.9
Critical (9.0–10)
Read the write-up →

What is CVE-2026-48750 Incus exec-output Symlink Arbitrary File Write on Host (CVE-2026-48750)?

Incus exec-output Symlink Arbitrary File Write on Host (CVE-2026-48750) (CVE-2026-48750) maps to the Privilege Escalation and Credential Access and Execution tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Incus exec-output Symlink Arbitrary File Write on Host (CVE-2026-48750), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Syslog, Azure Monitor Agent. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation Credential Access Execution
Microsoft Sentinel / Defender
kusto 
union
(
    DeviceFileEvents
    | where ActionType in ("FileCreated", "FileModified")
    | where InitiatingProcessParentFileName has_any ("incusd", "incus")
    | where FolderPath matches regex @"/(etc|root|var/spool/cron|usr/local/bin|lib/systemd|home/[^/]+/\.ssh)"
    | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
),
(
    DeviceProcessEvents
    | where InitiatingProcessParentFileName has_any ("incusd", "incus")
    | where FileName in~ ("ln", "cp", "mv", "install", "tee", "bash", "sh", "python3", "perl")
    | where ProcessCommandLine matches regex @"(exec.output|/var/log/incus|/run/incus)"
    | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessCommandLine
),
(
    Syslog
    | where Facility == "daemon" and ProcessName in ("incusd", "incus")
    | where SyslogMessage has_any ("exec-output", "symlink", "file write", "container escape")
    | project TimeGenerated, HostName, SyslogMessage, ProcessName
)
| extend ThreatLabel = "CVE-2026-48750 Incus symlink exec-output file write"
| order by TimeGenerated desc

Detects file write activity on host paths initiated by incusd processes, process execution spawned by incusd touching exec-output paths, and syslog entries from incusd referencing symlink or container escape indicators.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Syslog Azure Monitor Agent

Required Tables

DeviceFileEvents DeviceProcessEvents Syslog

False Positives

  • Legitimate incus container management writing log or output files to monitored directories
  • Automated incus image testing pipelines that write output to system directories under controlled conditions
  • Security tooling scanning incus exec-output directories for forensic purposes

Sigma rule & cross-platform mapping

The detection logic for Incus exec-output Symlink Arbitrary File Write on Host (CVE-2026-48750) (CVE-2026-48750) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-48750 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-48750

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-27 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create malicious symlink in exec-output path within container image

    Expected signal: Auditd symlink syscall from process tree rooted at incusd; file write event to /etc/passwd path originating from incusd child process

  2. Test 2Detect symlink traversal via exec-output to /root/.ssh/authorized_keys

    Expected signal: File write syscall to /root/.ssh/authorized_keys with incusd ancestor in process tree; auditd type=PATH record for authorized_keys

  3. Test 3Simulate exec-output symlink to systemd service unit for persistence

    Expected signal: File creation event under /lib/systemd/system/ with incusd ancestor; subsequent systemd daemon-reload or service enable events

Unlock Pro Content

Get the full detection package for CVE-2026-48750 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0006Credential AccessTA0002Execution

Related Techniques

T1611Escape to HostT1574Hijack Execution FlowT1036Masquerading

Same Tactic: Privilege Escalation

Popular Detections