CVE-2026-48769

CVE-2026-48769 — Incus Arbitrary File Write via Trusted Image Hash

Detects exploitation of CVE-2026-48769, a critical arbitrary file write vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. The flaw arises from improper validation (CWE-20) of image hashes during image pull operations, allowing a malicious or compromised image source to write arbitrary files on the Incus client host system. With a CVSS score of 9.9 and public PoC available, this vulnerability is actively exploitable and may lead to full host compromise, container escape, or persistence via overwritten system binaries or configuration files.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
go
Product
github.com/lxc/incus/v7/cmd/incusd
Versions
< 7.2.0

Weakness (CWE)

Timeline

Disclosed
June 26, 2026

CVSS

9.9
Critical (9.0–10)
Read the write-up →

What is CVE-2026-48769 CVE-2026-48769 — Incus Arbitrary File Write via Trusted Image Hash?

CVE-2026-48769 — Incus Arbitrary File Write via Trusted Image Hash (CVE-2026-48769) maps to the Execution and Persistence and Privilege Escalation and Lateral Movement tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-48769 — Incus Arbitrary File Write via Trusted Image Hash, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Microsoft Sentinel DeviceFileEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation Lateral Movement
Microsoft Sentinel / Defender
kusto
let IncusImagePull = DeviceProcessEvents
| where FileName in~ ("incus", "incusd")
| where ProcessCommandLine has_any ("image copy", "launch", "image pull", "image import")
| project TimeGenerated, DeviceId, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath;
let SuspiciousWrites = DeviceFileEvents
| where InitiatingProcessFileName in~ ("incus", "incusd")
| where FolderPath has_any ("/etc/", "/usr/bin/", "/usr/sbin/", "/bin/", "/sbin/", "/lib/", "/lib64/", "/root/", "/home/")
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| project TimeGenerated, DeviceId, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
IncusImagePull
| join kind=inner SuspiciousWrites on DeviceId
| where SuspiciousWrites.TimeGenerated between (IncusImagePull.TimeGenerated .. (IncusImagePull.TimeGenerated + 5m))
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, WrittenFile=SuspiciousWrites.FolderPath, InitiatingProcessCommandLine

Correlates Incus image pull/launch operations with subsequent file writes to sensitive system paths by the incusd process. A legitimate image operation should not write to /etc, /bin, /usr/bin, or other system directories on the host.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents Microsoft Sentinel DeviceFileEvents

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

  • Incus daemon legitimately writing to /var/lib/incus during normal image storage operations
  • System administrators manually running incus commands that trigger file operations in monitored paths during maintenance
  • Automated CI/CD pipelines using incus for containerized build environments with broad filesystem access

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-48769 — Incus Arbitrary File Write via Trusted Image Hash (CVE-2026-48769) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate CVE-2026-48769 — Malicious Image Serving Arbitrary File Write

    Expected signal: Process event: incus or incusd spawning with 'image copy' in command line; File creation event: /tmp/pwned created by incusd process; Network connection: incusd connecting to 127.0.0.1:18443

  2. Test 2Incus Version Detection and Vulnerable Host Discovery

    Expected signal: Process events showing incus/incusd invoked with --version or version subcommand; curl process accessing /var/lib/incus/unix.socket

  3. Test 3Post-Exploitation — Persistence via Written Cron Job

    Expected signal: Process event: process named incusd writing to /etc/cron.d/; File creation event: /etc/cron.d/incus-update created; auditd AVC or WRITE record for /etc/cron.d/

Unlock Pro Content

Get the full detection package for CVE-2026-48769 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections