Detect CVE-2026-48753: Incus S3 Multipart Upload Path Traversal Arbitrary File Write in Splunk
Detects exploitation of CVE-2026-48753, a critical path traversal vulnerability (CVSS 9.9) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.1.0. An attacker can write arbitrary files on the host by crafting malicious S3 multipart upload requests containing path traversal sequences in the object key, potentially leading to container escape, privilege escalation, or persistent backdoor installation.
MITRE ATT&CK
SPL Detection Query
index=linux sourcetype IN (syslog, linux_secure, osquery_differential)
(
(
(process_name="incusd" OR process="incusd")
AND (
message IN ("*../*", "*..\\*", "*%2e%2e%2f*", "*%2e%2e%5c*", "*%252e%252e*")
OR (message="*multipart*" AND message IN ("*../*", "*..\\*"))
)
)
OR
(
sourcetype="osquery_differential"
AND name="file_events"
AND columns.process_name="incusd"
AND NOT (
columns.target_path LIKE "/var/lib/incus/storage-pools/%"
OR columns.target_path LIKE "/var/lib/incus/containers/%"
OR columns.target_path LIKE "/run/incus/%"
)
)
)
| eval traversal_detected=if(match(message, "(\.\./|%2e%2e%2f|%2e%2e/|%252e%252e)"), "yes", "no")
| eval file_outside_storage=if(sourcetype="osquery_differential" AND NOT match('columns.target_path', "^/var/lib/incus/"), "yes", "no")
| eval risk_score=case(
traversal_detected="yes" AND file_outside_storage="yes", 100,
traversal_detected="yes", 80,
file_outside_storage="yes", 70,
true(), 50
)
| where risk_score >= 70
| table _time, host, process_name, message, traversal_detected, file_outside_storage, risk_score
| sort -risk_scoreDetects Incus S3 multipart path traversal exploitation by identifying traversal sequences in incusd process logs and file writes to unexpected locations via osquery file event monitoring.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate backup jobs using incusd writing to alternate mount points
- Custom storage configurations deviating from /var/lib/incus default
- URL-encoded characters in legitimate object keys that happen to match traversal patterns
- Security assessment tools conducting authorized penetration tests against Incus API
Other platforms for CVE-2026-48753
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-48753 PoC: Path Traversal via S3 Multipart Upload Initiation
Expected signal: Network log showing PUT/POST request to Incus S3 endpoint with URL-encoded path traversal sequence in the request URI; incusd process log entries showing the malformed object key
- Test 2CVE-2026-48753 Simulation: Anomalous File Write by Incusd Process
Expected signal: Linux audit log (auditd) syscall record showing openat/write to /etc/cron.d/ by process running as root; osquery file_events showing new file creation at sensitive path; EDR file creation alert for /etc/cron.d/
- Test 3CVE-2026-48753 Detection Validation: Incusd Version Audit
Expected signal: Process execution telemetry showing incus binary invoked with --version flag; no file modifications or network connections generated
- Test 4CVE-2026-48753 S3 Multipart Upload with Double-Encoded Traversal
Expected signal: Network request logs showing PUT to Incus S3 endpoint with %252e%252e and %2e%2e encoded sequences; incusd application logs recording the object key with encoded traversal characters before server-side decoding
Unlock Pro Content
Get the full detection package for CVE-2026-48753 including response playbook, investigation guide, and atomic red team tests.