CVE-2026-48750 IBM QRadar · QRadar

Detect Incus exec-output Symlink Arbitrary File Write on Host (CVE-2026-48750) in IBM QRadar

CVE-2026-48750 is a critical arbitrary file write vulnerability (CVSS 9.9) in Incus container/VM manager (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. A crafted container image can place a symlink at the exec-output path, causing incusd to write attacker-controlled content to arbitrary locations on the host filesystem. This enables container escape leading to full host compromise. A public PoC is available.

MITRE ATT&CK

Tactic
Privilege Escalation Credential Access Execution

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "sourceip",
  QIDNAME(qid) AS event_name,
  "File Path" AS file_path,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process,
  "Command" AS command_line
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux', 'Auditd', 'Syslog')
  AND (
    ("Parent Process Name" ILIKE '%incusd%' OR "Parent Process Name" ILIKE '%incus%')
    AND (
      "File Path" ILIKE '/etc/%' OR
      "File Path" ILIKE '/root/%' OR
      "File Path" ILIKE '/var/spool/cron/%' OR
      "File Path" ILIKE '/usr/local/bin/%' OR
      "File Path" ILIKE '/lib/systemd/%'
    )
  )
  OR (
    ("Parent Process Name" ILIKE '%incusd%' OR "Parent Process Name" ILIKE '%incus%')
    AND ("Command" ILIKE '%exec-output%' OR "Command" ILIKE '%exec_output%')
  )
  OR (
    "Event Category" = 'symlink'
    AND ("Command" ILIKE '%exec-output%' OR "Command" ILIKE '%exec_output%')
  )
LAST 24 HOURS
ORDER BY starttime DESC
critical severity medium confidence

QRadar AQL query detecting file writes to sensitive host paths initiated by incusd, incusd-spawned processes referencing exec-output, and symlink operations involving exec-output paths.

Data Sources

QRadar Linux DSMAuditdSyslog

Required Tables

events

False Positives & Tuning

  • Legitimate incus daemon operations writing configuration or log files to system directories
  • Authorized container provisioning scripts that reference exec-output as part of normal workflow
  • Security tooling that creates symlinks in exec-output paths during forensic investigation

Other platforms for CVE-2026-48750

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create malicious symlink in exec-output path within container image

    Expected signal: Auditd symlink syscall from process tree rooted at incusd; file write event to /etc/passwd path originating from incusd child process

  2. Test 2Detect symlink traversal via exec-output to /root/.ssh/authorized_keys

    Expected signal: File write syscall to /root/.ssh/authorized_keys with incusd ancestor in process tree; auditd type=PATH record for authorized_keys

  3. Test 3Simulate exec-output symlink to systemd service unit for persistence

    Expected signal: File creation event under /lib/systemd/system/ with incusd ancestor; subsequent systemd daemon-reload or service enable events

Last updated: 2026-06-27 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-48750 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0006Credential AccessTA0002Execution

Related Techniques

T1611Escape to HostT1574Hijack Execution FlowT1036Masquerading

Same Tactic: Privilege Escalation

Popular Detections