Detect CVE-2026-48751: Incus Restricted Project Bypass Leading to Arbitrary Command Execution in Microsoft Sentinel
Detects exploitation of CVE-2026-48751, a critical missing authorization vulnerability (CWE-862) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. An attacker with access to a restricted Incus project can bypass project restrictions to execute arbitrary commands on the host system, achieving container escape with a CVSS score of 9.9. A public proof-of-concept is available.
MITRE ATT&CK
KQL Detection Query
union
(SecurityEvent
| where EventID in (4688, 4689)
| where ParentProcessName has_any ("incusd", "incus")
| where CommandLine has_any ("exec", "shell", "bash", "sh", "/bin/sh", "/bin/bash")
| project TimeGenerated, Computer, Account, ParentProcessName, NewProcessName, CommandLine, EventID),
(DeviceProcessEvents
| where InitiatingProcessFileName has_any ("incusd", "incus")
| where FileName in~ ("sh", "bash", "python3", "python", "perl", "ruby")
| where ProcessCommandLine has_any ("exec", "chroot", "nsenter", "unshare")
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine)
| where TimeGenerated >= ago(24h)
| extend RiskScore = case(
ProcessCommandLine has_any ("nsenter", "unshare", "chroot"), 100,
ProcessCommandLine has "exec", 80,
50)
| where RiskScore >= 80
| sort by TimeGenerated descDetects processes spawned by incusd that indicate container escape or privilege escalation attempts via the restricted project bypass in CVE-2026-48751. Looks for shell spawning and namespace manipulation tools launched from incusd parent processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative use of incus exec for authorized container management
- Automated orchestration tools that use incus exec for provisioning tasks
- Security scanning or compliance tooling that inspects container environments
- Development environments where frequent container exec operations are expected
Other platforms for CVE-2026-48751
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Incus Restricted Project Shell Escape via Exec API
Expected signal: Process audit logs showing incusd spawning /bin/sh or nsenter with parent PID of incusd; auditd EXECVE records for nsenter or chroot with ppid matching incusd; /proc/<pid>/ns/pid symlink pointing to host PID namespace
- Test 2Verify Incus Vulnerable Version Present
Expected signal: Process execution events for incusd --version and incus project list; API calls to /1.0/projects and /1.0/instances visible in incusd access logs
- Test 3Container Escape via Host Namespace Entry Post-Bypass
Expected signal: Auditd SYSCALL records for nsenter (execve), unshare, clone syscalls; /proc/<pid>/ns/pid and /proc/<pid>/ns/mnt symlinks showing target namespace 1 (host init); process tree showing sh/bash with host-level PID namespace confirmed by NSpid field in /proc/self/status
Unlock Pro Content
Get the full detection package for CVE-2026-48751 including response playbook, investigation guide, and atomic red team tests.