CVE-2026-48752 IBM QRadar · QRadar

Detect Incus Arbitrary File Read/Write via Malicious Image Template Symlink in IBM QRadar

CVE-2026-48752 is a critical vulnerability (CVSS 9.9) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. A malicious container image can include a crafted symlink within the templates/ directory that, when processed by incusd during image import or container creation, allows an attacker to read or write arbitrary files on the host filesystem. This constitutes a container escape primitive with host takeover potential. A public proof-of-concept exists.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Lateral Movement

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
    sourceip,
    username,
    "devicehostname" AS hostname,
    "filename" AS affected_file,
    "filepath" AS affected_path,
    CATEGORYNAME(category) AS event_category,
    "Process Name" AS process_name,
    UTF8(payload) AS raw_payload
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Linux Audit', 'Syslog')
    AND (
        ("Process Name" IMATCHES '(?i)incusd?'
         AND (
             "filename" IMATCHES '(?i)templates[/\\\\]'
             OR "filepath" IMATCHES '(?i)\.\.[/\\\\]'
             OR UTF8(payload) IMATCHES '(?i)(symlink|path.escape|container.image|chroot)'
         ))
        OR
        ("Process Name" IMATCHES '(?i)incusd?'
         AND "filepath" IMATCHES '(?i)(/etc/|/root/|/proc/|/sys/)'
         AND category IN (18, 19))
    )
    AND starttime > NOW() - 1 HOURS
ORDER BY starttime DESC
LIMIT 500
critical severity medium confidence

QRadar AQL query correlating incusd process activity with symlink or path traversal indicators within template directories and unexpected host filesystem access in sensitive locations.

Data Sources

Linux OS log sourceLinux AuditSyslog

Required Tables

events

False Positives & Tuning

  • Incus administrative operations that legitimately access host paths for device passthrough configuration
  • Log ingestion delays causing historical image-import events to appear as new alerts
  • Pentest or red team exercises operating against Incus in a lab environment

Other platforms for CVE-2026-48752

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Incus Image with Template Symlink Pointing to /etc/passwd

    Expected signal: incusd process accessing /etc/passwd via symlink resolution from templates/ directory; auditd SYSCALL records for readlink/open by incusd PID targeting /etc/passwd

  2. Test 2Exploit Incus Template Symlink for Arbitrary Host File Write

    Expected signal: incusd creating or writing to /tmp/incus-host-write-target via symlink from templates/; FileWriteInfo events for incusd outside container directories

  3. Test 3Scan Incus Image Store for Existing Malicious Template Symlinks

    Expected signal: Read-only filesystem traversal of /var/lib/incus/images by the scanning shell process; no incusd involvement expected

Last updated: 2026-06-27 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-48752 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0008Lateral Movement

Related Techniques

T1611Escape to HostT1083File and Directory DiscoveryT1565Data ManipulationT1195Supply Chain Compromise

Same Tactic: Privilege Escalation

Popular Detections