CVE-2026-48752

Incus Arbitrary File Read/Write via Malicious Image Template Symlink

Privilege Escalation Defense Evasion Lateral Movement Last updated:

CVE-2026-48752 is a critical vulnerability (CVSS 9.9) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. A malicious container image can include a crafted symlink within the templates/ directory that, when processed by incusd during image import or container creation, allows an attacker to read or write arbitrary files on the host filesystem. This constitutes a container escape primitive with host takeover potential. A public proof-of-concept exists.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
go
Product
github.com/lxc/incus/v7/cmd/incusd
Versions
< 7.2.0

Weakness (CWE)

CWE-73

Timeline

Disclosed
June 26, 2026

CVSS

9.9
Critical (9.0–10)
Read the write-up →

What is CVE-2026-48752 Incus Arbitrary File Read/Write via Malicious Image Template Symlink?

Incus Arbitrary File Read/Write via Malicious Image Template Symlink (CVE-2026-48752) maps to the Privilege Escalation and Defense Evasion and Lateral Movement tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Incus Arbitrary File Read/Write via Malicious Image Template Symlink, covering the data sources and telemetry it touches: SecurityEvent, Syslog, AuditLogs, CommonSecurityLog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Lateral Movement
Microsoft Sentinel / Defender
kusto 
union isfuzzy=true
(
    SecurityEvent
    | where EventID in (4663, 4656)
    | where ObjectName matches regex @"(?i)(templates[\\/]|/var/lib/incus/|/var/snap/incus/)" 
    | where ObjectName matches regex @"(?i)(\.\./|\\\.\.\\)"
    | project TimeGenerated, Computer, Account, ObjectName, ProcessName, EventID
),
(
    AuditLogs
    | where OperationName =~ "incusd"
    | where ResultDescription has_any ("symlink", "templates", "path traversal")
    | project TimeGenerated, OperationName, ResultDescription, InitiatedBy
),
(
    Syslog
    | where ProcessName =~ "incusd" or ProcessName =~ "incus"
    | where SyslogMessage has_any ("templates/", "symlink", "path escape", "chroot", "container image")
    | where SyslogMessage has_any ("error", "warn", "failed", "denied")
    | project TimeGenerated, Computer, ProcessName, SyslogMessage, HostName
)
| extend AlertName = "CVE-2026-48752 - Incus Malicious Template Symlink"
| order by TimeGenerated desc

Detects suspicious file access patterns associated with CVE-2026-48752 exploitation — symlink traversal within Incus template directories and anomalous host file access by incusd. Covers Windows Security Events, Azure AD Audit Logs, and Linux Syslog sources.

critical severity medium confidence

Data Sources

SecurityEvent Syslog AuditLogs CommonSecurityLog

Required Tables

SecurityEvent Syslog AuditLogs

False Positives

  • Legitimate Incus image imports using templates with absolute paths that resolve correctly within the container rootfs
  • Container management scripts that mount host directories explicitly for known administrative purposes
  • Security scanning tools that intentionally test symlink resolution within container image stores

Sigma rule & cross-platform mapping

The detection logic for Incus Arbitrary File Read/Write via Malicious Image Template Symlink (CVE-2026-48752) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-48752 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-48752

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-27 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Incus Image with Template Symlink Pointing to /etc/passwd

    Expected signal: incusd process accessing /etc/passwd via symlink resolution from templates/ directory; auditd SYSCALL records for readlink/open by incusd PID targeting /etc/passwd

  2. Test 2Exploit Incus Template Symlink for Arbitrary Host File Write

    Expected signal: incusd creating or writing to /tmp/incus-host-write-target via symlink from templates/; FileWriteInfo events for incusd outside container directories

  3. Test 3Scan Incus Image Store for Existing Malicious Template Symlinks

    Expected signal: Read-only filesystem traversal of /var/lib/incus/images by the scanning shell process; no incusd involvement expected

Unlock Pro Content

Get the full detection package for CVE-2026-48752 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0008Lateral Movement

Related Techniques

T1611Escape to HostT1083File and Directory DiscoveryT1565Data ManipulationT1195Supply Chain Compromise

Same Tactic: Privilege Escalation

Popular Detections