CVE-2026-48755

CVE-2026-48755: Incus Argument Injection in Backup Compression Algorithm (AFW/ACE)

Detects exploitation of CVE-2026-48755, an argument injection vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. The vulnerability exists in the backup compression algorithm selection, where unsanitized input is passed to compression utilities, enabling arbitrary file write (AFW) and arbitrary code execution (ACE) with incusd process privileges. An attacker with API access to the Incus daemon can inject shell metacharacters or additional arguments into the compression command, potentially achieving container escape or host compromise.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
go
Product
github.com/lxc/incus/v7/cmd/incusd
Versions
< 7.2.0

Weakness (CWE)

Timeline

Disclosed
June 26, 2026

CVSS

9.9
Critical (9.0–10)
Read the write-up →

What is CVE-2026-48755 CVE-2026-48755: Incus Argument Injection in Backup Compression Algorithm (AFW/ACE)?

CVE-2026-48755: Incus Argument Injection in Backup Compression Algorithm (AFW/ACE) (CVE-2026-48755) maps to the Initial Access and Privilege Escalation and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-48755: Incus Argument Injection in Backup Compression Algorithm (AFW/ACE), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Syslog, Linux audit logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Execution
Microsoft Sentinel / Defender
kusto
union
(
    DeviceProcessEvents
    | where FileName in~ ("gzip", "bzip2", "xz", "zstd", "lz4", "tar")
    | where InitiatingProcessFileName =~ "incusd" or InitiatingProcessParentFileName =~ "incusd"
    | where ProcessCommandLine matches regex @"[;&|`$()\\\\]" or ProcessCommandLine contains "--" or ProcessCommandLine contains "../"
    | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName, FolderPath
    | extend Technique = "Argument Injection via Incus Backup Compression"
),
(
    Syslog
    | where ProcessName =~ "incusd" or SyslogMessage contains "incusd"
    | where SyslogMessage contains "backup" and SyslogMessage contains "compress"
    | where SyslogMessage matches regex @"[;&|`$()\\\\]" or SyslogMessage contains "--output" or SyslogMessage contains "--use-compress-program"
    | project TimeGenerated, HostName = Computer, ProcessName, SyslogMessage
    | extend Technique = "Argument Injection via Incus Backup Compression"
)
| where isnotempty(TimeGenerated)
| order by TimeGenerated desc

Detects suspicious process invocations from incusd spawning compression utilities with injected arguments, shell metacharacters, or path traversal sequences indicative of CVE-2026-48755 exploitation.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Syslog Linux audit logs

Required Tables

DeviceProcessEvents Syslog

False Positives

  • Legitimate Incus backup operations with complex but valid compression arguments
  • Security scanning tools that enumerate Incus API endpoints with unusual parameters
  • Automated backup scripts that pass non-default compression flags through the Incus API

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-48755: Incus Argument Injection in Backup Compression Algorithm (AFW/ACE) (CVE-2026-48755) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Incus Backup Compression Argument Injection via API - File Write

    Expected signal: Process event: incusd spawns gzip with command line containing '>' and '#' characters; file creation event at /tmp/pwned.txt by gzip process with parent incusd

  2. Test 2Incus Backup Compression Injection via tar --use-compress-program

    Expected signal: Process chain: incusd -> tar with --use-compress-program argument; incusd -> sh -c with id command; file write to /tmp/id_output.txt

  3. Test 3Incus REST API Direct Backup Request with Injected Compression Algorithm

    Expected signal: Incus API audit log entry for POST /1.0/instances/test-container/backups with compression_algorithm containing semicolon and redirect; gzip process spawned by incusd with injected shell command in arguments

Unlock Pro Content

Get the full detection package for CVE-2026-48755 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections