CVE-2026-48755 IBM QRadar · QRadar

Detect CVE-2026-48755: Incus Argument Injection in Backup Compression Algorithm (AFW/ACE) in IBM QRadar

Detects exploitation of CVE-2026-48755, an argument injection vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. The vulnerability exists in the backup compression algorithm selection, where unsanitized input is passed to compression utilities, enabling arbitrary file write (AFW) and arbitrary code execution (ACE) with incusd process privileges. An attacker with API access to the Incus daemon can inject shell metacharacters or additional arguments into the compression command, potentially achieving container escape or host compromise.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Execution

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "processname",
  "parentprocessname",
  "processcmdline",
  QIDNAME(qid) AS event_name
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux Syslog', 'Auditd')
  AND (
    ("parentprocessname" ILIKE '%incusd%')
    AND "processname" IN ('gzip', 'bzip2', 'xz', 'zstd', 'lz4', 'tar', 'pigz')
    AND (
      "processcmdline" MATCHES '.*[;&|`$()\\\\].*'
      OR "processcmdline" ILIKE '%--use-compress-program%'
      OR "processcmdline" ILIKE '%--checkpoint-action%'
      OR "processcmdline" ILIKE '%../%'
    )
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC
critical severity medium confidence

QRadar AQL query detecting incusd child processes (compression utilities) invoked with argument injection patterns associated with CVE-2026-48755.

Data Sources

Linux SyslogAuditd

Required Tables

events

False Positives & Tuning

  • Legitimate Incus backup API calls with complex but valid compression arguments
  • Security scanners probing Incus API endpoints that generate unusual log entries
  • Batch backup jobs using non-default compression formats supported by Incus

Other platforms for CVE-2026-48755


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Incus Backup Compression Argument Injection via API - File Write

    Expected signal: Process event: incusd spawns gzip with command line containing '>' and '#' characters; file creation event at /tmp/pwned.txt by gzip process with parent incusd

  2. Test 2Incus Backup Compression Injection via tar --use-compress-program

    Expected signal: Process chain: incusd -> tar with --use-compress-program argument; incusd -> sh -c with id command; file write to /tmp/id_output.txt

  3. Test 3Incus REST API Direct Backup Request with Injected Compression Algorithm

    Expected signal: Incus API audit log entry for POST /1.0/instances/test-container/backups with compression_algorithm containing semicolon and redirect; gzip process spawned by incusd with injected shell command in arguments

Unlock Pro Content

Get the full detection package for CVE-2026-48755 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections