Detect Incus Arbitrary File Read/Write via Malicious Image Template Symlink in Google Chronicle
CVE-2026-48752 is a critical vulnerability (CVSS 9.9) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. A malicious container image can include a crafted symlink within the templates/ directory that, when processed by incusd during image import or container creation, allows an attacker to read or write arbitrary files on the host filesystem. This constitutes a container escape primitive with host takeover potential. A public proof-of-concept exists.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_48752_incus_template_symlink {
meta:
author = "Argus Detection Platform"
description = "Detects CVE-2026-48752: Incus arbitrary file read/write via malicious image template symlink"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://github.com/lxc/incus/security/advisories/GHSA-vxp5-584q-c479"
cve = "CVE-2026-48752"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and $e.principal.process.file.full_path = /(?i)incusd?$/
)
or
(
$e.metadata.event_type = "FILE_OPEN"
and $e.principal.process.file.full_path = /(?i)incusd?$/
and (
$e.target.file.full_path = /(?i)(templates\/|templates\\)/
or $e.target.file.full_path = /(\/etc\/|\/root\/|\/proc\/|\/sys\/)/
)
)
or
(
$e.metadata.event_type = "FILE_CREATION"
and $e.principal.process.file.full_path = /(?i)incusd?$/
and $e.target.file.full_path = /(\/etc\/|\/root\/|\/var\/snap\/incus\/|\.\.\/)/
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting incusd process activity involving template directory access or host file creation outside container boundaries, indicative of CVE-2026-48752 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Incus daemon writing ephemeral configuration files to expected host paths during container boot
- Authorised Incus cluster operations accessing shared image storage with broad path patterns
- Security tooling that instruments incusd for monitoring and writes audit records to sensitive paths
Other platforms for CVE-2026-48752
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Incus Image with Template Symlink Pointing to /etc/passwd
Expected signal: incusd process accessing /etc/passwd via symlink resolution from templates/ directory; auditd SYSCALL records for readlink/open by incusd PID targeting /etc/passwd
- Test 2Exploit Incus Template Symlink for Arbitrary Host File Write
Expected signal: incusd creating or writing to /tmp/incus-host-write-target via symlink from templates/; FileWriteInfo events for incusd outside container directories
- Test 3Scan Incus Image Store for Existing Malicious Template Symlinks
Expected signal: Read-only filesystem traversal of /var/lib/incus/images by the scanning shell process; no incusd involvement expected
Unlock Pro Content
Get the full detection package for CVE-2026-48752 including response playbook, investigation guide, and atomic red team tests.