Detect Incus exec-output Symlink Arbitrary File Write on Host (CVE-2026-48750) in Microsoft Sentinel
CVE-2026-48750 is a critical arbitrary file write vulnerability (CVSS 9.9) in Incus container/VM manager (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. A crafted container image can place a symlink at the exec-output path, causing incusd to write attacker-controlled content to arbitrary locations on the host filesystem. This enables container escape leading to full host compromise. A public PoC is available.
MITRE ATT&CK
KQL Detection Query
union
(
DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified")
| where InitiatingProcessParentFileName has_any ("incusd", "incus")
| where FolderPath matches regex @"/(etc|root|var/spool/cron|usr/local/bin|lib/systemd|home/[^/]+/\.ssh)"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
),
(
DeviceProcessEvents
| where InitiatingProcessParentFileName has_any ("incusd", "incus")
| where FileName in~ ("ln", "cp", "mv", "install", "tee", "bash", "sh", "python3", "perl")
| where ProcessCommandLine matches regex @"(exec.output|/var/log/incus|/run/incus)"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessCommandLine
),
(
Syslog
| where Facility == "daemon" and ProcessName in ("incusd", "incus")
| where SyslogMessage has_any ("exec-output", "symlink", "file write", "container escape")
| project TimeGenerated, HostName, SyslogMessage, ProcessName
)
| extend ThreatLabel = "CVE-2026-48750 Incus symlink exec-output file write"
| order by TimeGenerated descDetects file write activity on host paths initiated by incusd processes, process execution spawned by incusd touching exec-output paths, and syslog entries from incusd referencing symlink or container escape indicators.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate incus container management writing log or output files to monitored directories
- Automated incus image testing pipelines that write output to system directories under controlled conditions
- Security tooling scanning incus exec-output directories for forensic purposes
Other platforms for CVE-2026-48750
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create malicious symlink in exec-output path within container image
Expected signal: Auditd symlink syscall from process tree rooted at incusd; file write event to /etc/passwd path originating from incusd child process
- Test 2Detect symlink traversal via exec-output to /root/.ssh/authorized_keys
Expected signal: File write syscall to /root/.ssh/authorized_keys with incusd ancestor in process tree; auditd type=PATH record for authorized_keys
- Test 3Simulate exec-output symlink to systemd service unit for persistence
Expected signal: File creation event under /lib/systemd/system/ with incusd ancestor; subsequent systemd daemon-reload or service enable events
Unlock Pro Content
Get the full detection package for CVE-2026-48750 including response playbook, investigation guide, and atomic red team tests.