CVE-2026-48751

CVE-2026-48751: Incus Restricted Project Bypass Leading to Arbitrary Command Execution

Privilege Escalation Lateral Movement Execution Last updated:

Detects exploitation of CVE-2026-48751, a critical missing authorization vulnerability (CWE-862) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. An attacker with access to a restricted Incus project can bypass project restrictions to execute arbitrary commands on the host system, achieving container escape with a CVSS score of 9.9. A public proof-of-concept is available.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
go
Product
github.com/lxc/incus/v7/cmd/incusd
Versions
< 7.2.0

Weakness (CWE)

CWE-862

Timeline

Disclosed
June 26, 2026

CVSS

9.9
Critical (9.0–10)
Read the write-up →

What is CVE-2026-48751 CVE-2026-48751: Incus Restricted Project Bypass Leading to Arbitrary Command Execution?

CVE-2026-48751: Incus Restricted Project Bypass Leading to Arbitrary Command Execution (CVE-2026-48751) maps to the Privilege Escalation and Lateral Movement and Execution tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-48751: Incus Restricted Project Bypass Leading to Arbitrary Command Execution, covering the data sources and telemetry it touches: SecurityEvent, DeviceProcessEvents, Syslog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation Lateral Movement Execution
Microsoft Sentinel / Defender
kusto 
union
  (SecurityEvent
   | where EventID in (4688, 4689)
   | where ParentProcessName has_any ("incusd", "incus")
   | where CommandLine has_any ("exec", "shell", "bash", "sh", "/bin/sh", "/bin/bash")
   | project TimeGenerated, Computer, Account, ParentProcessName, NewProcessName, CommandLine, EventID),
  (DeviceProcessEvents
   | where InitiatingProcessFileName has_any ("incusd", "incus")
   | where FileName in~ ("sh", "bash", "python3", "python", "perl", "ruby")
   | where ProcessCommandLine has_any ("exec", "chroot", "nsenter", "unshare")
   | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine)
| where TimeGenerated >= ago(24h)
| extend RiskScore = case(
    ProcessCommandLine has_any ("nsenter", "unshare", "chroot"), 100,
    ProcessCommandLine has "exec", 80,
    50)
| where RiskScore >= 80
| sort by TimeGenerated desc

Detects processes spawned by incusd that indicate container escape or privilege escalation attempts via the restricted project bypass in CVE-2026-48751. Looks for shell spawning and namespace manipulation tools launched from incusd parent processes.

critical severity medium confidence

Data Sources

SecurityEvent DeviceProcessEvents Syslog

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

  • Legitimate administrative use of incus exec for authorized container management
  • Automated orchestration tools that use incus exec for provisioning tasks
  • Security scanning or compliance tooling that inspects container environments
  • Development environments where frequent container exec operations are expected

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-48751: Incus Restricted Project Bypass Leading to Arbitrary Command Execution (CVE-2026-48751) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-48751 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-48751

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-27 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Incus Restricted Project Shell Escape via Exec API

    Expected signal: Process audit logs showing incusd spawning /bin/sh or nsenter with parent PID of incusd; auditd EXECVE records for nsenter or chroot with ppid matching incusd; /proc/<pid>/ns/pid symlink pointing to host PID namespace

  2. Test 2Verify Incus Vulnerable Version Present

    Expected signal: Process execution events for incusd --version and incus project list; API calls to /1.0/projects and /1.0/instances visible in incusd access logs

  3. Test 3Container Escape via Host Namespace Entry Post-Bypass

    Expected signal: Auditd SYSCALL records for nsenter (execve), unshare, clone syscalls; /proc/<pid>/ns/pid and /proc/<pid>/ns/mnt symlinks showing target namespace 1 (host init); process tree showing sh/bash with host-level PID namespace confirmed by NSpid field in /proc/self/status

Unlock Pro Content

Get the full detection package for CVE-2026-48751 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0008Lateral MovementTA0002Execution

Related Techniques

T1611Escape to HostT1548Abuse Elevation Control MechanismT1059Command and Scripting Interpreter

Same Tactic: Privilege Escalation

Popular Detections