CVE-2026-48751 Splunk · SPL

Detect CVE-2026-48751: Incus Restricted Project Bypass Leading to Arbitrary Command Execution in Splunk

Detects exploitation of CVE-2026-48751, a critical missing authorization vulnerability (CWE-862) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. An attacker with access to a restricted Incus project can bypass project restrictions to execute arbitrary commands on the host system, achieving container escape with a CVSS score of 9.9. A public proof-of-concept is available.

MITRE ATT&CK

Tactic
Privilege Escalation Lateral Movement Execution

SPL Detection Query

Splunk (SPL)
spl 
index=linux OR index=endpoint sourcetype IN ("linux:audit", "auditd", "syslog", "osquery:results")
("incusd" OR "incus")
| eval is_escape_attempt=if(match(cmdline, "(nsenter|unshare|chroot|pivot_root)"), 1, 0)
| eval is_shell_spawn=if(match(process, "^(sh|bash|zsh|fish|python[23]?|perl|ruby)$") AND parent_process IN ("incusd", "incus"), 1, 0)
| eval is_privileged_op=if(match(cmdline, "(--target.*1|--mount|--pid|--net|--uts)"), 1, 0)
| where is_escape_attempt=1 OR (is_shell_spawn=1 AND is_privileged_op=1)
| eval risk_score=case(
    is_escape_attempt=1, 100,
    is_shell_spawn=1 AND is_privileged_op=1, 90,
    is_shell_spawn=1, 60,
    true(), 50)
| where risk_score >= 80
| stats count BY host, user, process, parent_process, cmdline, risk_score, _time
| sort -risk_score, -_time
critical severity medium confidence

Detects Incus restricted project bypass exploitation by identifying shell spawning and namespace manipulation activities originating from incusd processes on Linux hosts.

Data Sources

Linux AuditAuditDSyslogOSQuery

Required Sourcetypes

linux:auditauditdsyslogosquery:results

False Positives & Tuning

  • Authorized system administrators using incus exec for legitimate container operations
  • CI/CD pipelines that use Incus containers and regularly execute commands inside them
  • Monitoring agents that inspect container processes via incusd
  • Lab or development environments with intentionally permissive Incus project configurations

Other platforms for CVE-2026-48751

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Incus Restricted Project Shell Escape via Exec API

    Expected signal: Process audit logs showing incusd spawning /bin/sh or nsenter with parent PID of incusd; auditd EXECVE records for nsenter or chroot with ppid matching incusd; /proc/<pid>/ns/pid symlink pointing to host PID namespace

  2. Test 2Verify Incus Vulnerable Version Present

    Expected signal: Process execution events for incusd --version and incus project list; API calls to /1.0/projects and /1.0/instances visible in incusd access logs

  3. Test 3Container Escape via Host Namespace Entry Post-Bypass

    Expected signal: Auditd SYSCALL records for nsenter (execve), unshare, clone syscalls; /proc/<pid>/ns/pid and /proc/<pid>/ns/mnt symlinks showing target namespace 1 (host init); process tree showing sh/bash with host-level PID namespace confirmed by NSpid field in /proc/self/status

Last updated: 2026-06-27 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-48751 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0008Lateral MovementTA0002Execution

Related Techniques

T1611Escape to HostT1548Abuse Elevation Control MechanismT1059Command and Scripting Interpreter

Same Tactic: Privilege Escalation

Popular Detections