Detect CVE-2026-48755: Incus Argument Injection in Backup Compression Algorithm (AFW/ACE) in Google Chronicle
Detects exploitation of CVE-2026-48755, an argument injection vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. The vulnerability exists in the backup compression algorithm selection, where unsanitized input is passed to compression utilities, enabling arbitrary file write (AFW) and arbitrary code execution (ACE) with incusd process privileges. An attacker with API access to the Incus daemon can inject shell metacharacters or additional arguments into the compression command, potentially achieving container escape or host compromise.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_48755_incus_argument_injection {
meta:
author = "df00tech Detection Platform"
description = "Detects CVE-2026-48755: Incus argument injection in backup compression leading to AFW/ACE"
severity = "CRITICAL"
priority = "HIGH"
mitre_attack_tactic = "TA0001, TA0004, TA0002"
mitre_attack_technique = "T1190, T1611, T1059"
reference = "https://github.com/lxc/incus/security/advisories/GHSA-v6mj-8pf4-hhw4"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path = /incusd$/
$e2.metadata.event_type = "PROCESS_LAUNCH"
$e2.principal.process.parent_process.file.full_path = /incusd$/
$e2.target.process.file.full_path = /(gzip|bzip2|xz|zstd|lz4|tar|pigz)$/
(
re.regex($e2.target.process.command_line, `[;&|\`$()\\\\]`) or
re.contains($e2.target.process.command_line, "--use-compress-program") or
re.contains($e2.target.process.command_line, "--checkpoint-action") or
re.contains($e2.target.process.command_line, "-I ") or
re.regex($e2.target.process.command_line, `\.\.[/\\\\]`)
)
$e1.metadata.collected_timestamp.seconds <= $e2.metadata.collected_timestamp.seconds
$e2.metadata.collected_timestamp.seconds - $e1.metadata.collected_timestamp.seconds <= 60
match:
$e1.principal.hostname over 1m
outcome:
$risk_score = 95
$hostname = $e1.principal.hostname
$compression_tool = $e2.target.process.file.full_path
$injected_cmdline = $e2.target.process.command_line
condition:
$e1 and $e2
} Chronicle YARA-L rule detecting incusd spawning compression utilities with argument injection patterns within a 60-second window.
Data Sources
Required Tables
False Positives & Tuning
- Incus backup operations using legitimate but uncommon compression arguments in managed environments
- Infrastructure-as-code pipelines that invoke Incus backup API with templated compression settings
- Security testing frameworks validating Incus API surface with crafted but non-malicious payloads
Other platforms for CVE-2026-48755
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Incus Backup Compression Argument Injection via API - File Write
Expected signal: Process event: incusd spawns gzip with command line containing '>' and '#' characters; file creation event at /tmp/pwned.txt by gzip process with parent incusd
- Test 2Incus Backup Compression Injection via tar --use-compress-program
Expected signal: Process chain: incusd -> tar with --use-compress-program argument; incusd -> sh -c with id command; file write to /tmp/id_output.txt
- Test 3Incus REST API Direct Backup Request with Injected Compression Algorithm
Expected signal: Incus API audit log entry for POST /1.0/instances/test-container/backups with compression_algorithm containing semicolon and redirect; gzip process spawned by incusd with injected shell command in arguments
Unlock Pro Content
Get the full detection package for CVE-2026-48755 including response playbook, investigation guide, and atomic red team tests.