Detect CVE-2026-48751: Incus Restricted Project Bypass Leading to Arbitrary Command Execution in IBM QRadar
Detects exploitation of CVE-2026-48751, a critical missing authorization vulnerability (CWE-862) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. An attacker with access to a restricted Incus project can bypass project restrictions to execute arbitrary commands on the host system, achieving container escape with a CVSS score of 9.9. A public proof-of-concept is available.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"processname",
"parentprocessname",
"commandline",
CASE
WHEN "commandline" ILIKE '%nsenter%' OR "commandline" ILIKE '%unshare%' OR "commandline" ILIKE '%chroot%' THEN 'NAMESPACE_MANIPULATION'
WHEN "parentprocessname" ILIKE '%incusd%' AND "processname" IN ('sh','bash','zsh','python3','python','perl') THEN 'SHELL_FROM_INCUSD'
ELSE 'SUSPICIOUS'
END AS threat_category
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'AuditD')
AND (
("parentprocessname" ILIKE '%incusd%' OR "parentprocessname" ILIKE '%incus%')
AND (
"commandline" ILIKE '%nsenter%'
OR "commandline" ILIKE '%unshare%'
OR "commandline" ILIKE '%chroot%'
OR "commandline" ILIKE '%pivot_root%'
OR ("processname" IN ('sh','bash','zsh','python3','python','perl','ruby'))
)
)
AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500QRadar AQL query identifying processes spawned by incusd that perform shell execution or Linux namespace manipulation, indicative of CVE-2026-48751 exploitation attempts.
Data Sources
Required Tables
False Positives & Tuning
- Authorized incus exec commands by administrators performing routine maintenance
- Development or testing systems where Incus is used heavily for container workflows
- Orchestration tools performing legitimate namespace inspection
- Security tooling that monitors container namespaces for compliance
Other platforms for CVE-2026-48751
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Incus Restricted Project Shell Escape via Exec API
Expected signal: Process audit logs showing incusd spawning /bin/sh or nsenter with parent PID of incusd; auditd EXECVE records for nsenter or chroot with ppid matching incusd; /proc/<pid>/ns/pid symlink pointing to host PID namespace
- Test 2Verify Incus Vulnerable Version Present
Expected signal: Process execution events for incusd --version and incus project list; API calls to /1.0/projects and /1.0/instances visible in incusd access logs
- Test 3Container Escape via Host Namespace Entry Post-Bypass
Expected signal: Auditd SYSCALL records for nsenter (execve), unshare, clone syscalls; /proc/<pid>/ns/pid and /proc/<pid>/ns/mnt symlinks showing target namespace 1 (host init); process tree showing sh/bash with host-level PID namespace confirmed by NSpid field in /proc/self/status
Unlock Pro Content
Get the full detection package for CVE-2026-48751 including response playbook, investigation guide, and atomic red team tests.