CVE-2026-48769 Google Chronicle · YARA-L

Detect CVE-2026-48769 — Incus Arbitrary File Write via Trusted Image Hash in Google Chronicle

Detects exploitation of CVE-2026-48769, a critical arbitrary file write vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. The flaw arises from improper validation (CWE-20) of image hashes during image pull operations, allowing a malicious or compromised image source to write arbitrary files on the Incus client host system. With a CVSS score of 9.9 and public PoC available, this vulnerability is actively exploitable and may lead to full host compromise, container escape, or persistence via overwritten system binaries or configuration files.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation Lateral Movement

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule cve_2026_48769_incus_arbitrary_file_write {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-48769 exploitation — Incus arbitrary file write via trusted image hash"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/lxc/incus/security/advisories/GHSA-f6m5-xw2g-xc4x"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /\/(usr\/bin\/|bin\/|usr\/local\/bin\/)incus(d)?$/
    (
      $proc.target.process.command_line = /image\s+(copy|pull|import)/ or
      $proc.target.process.command_line = /^incus\s+launch/
    )
    $proc.principal.hostname = $host

    $file.metadata.event_type = "FILE_CREATION"
    $file.principal.process.file.full_path = /incus(d)?$/
    (
      $file.target.file.full_path = /^\/etc\// or
      $file.target.file.full_path = /^\/usr\/(bin|sbin)\// or
      $file.target.file.full_path = /^\/(bin|sbin)\// or
      $file.target.file.full_path = /^\/root\// or
      $file.target.file.full_path = /^\/home\//
    )
    $file.principal.hostname = $host

    $proc.metadata.event_timestamp.seconds <= $file.metadata.event_timestamp.seconds
    $file.metadata.event_timestamp.seconds <= $proc.metadata.event_timestamp.seconds + 300

  condition:
    $proc and $file
}
critical severity high confidence

Chronicle YARA-L rule correlating Incus process image operations with file creation events in sensitive host directories within a 5-minute window.

Data Sources

Chronicle UDMGoogle Cloud Endpoint Telemetry

Required Tables

process_launchfile_creation

False Positives & Tuning

  • Incus storage drivers legitimately creating files in bind-mounted host directories
  • System update processes running concurrently with incus image operations
  • Custom container runtimes built on incus libraries that perform legitimate host file operations

Other platforms for CVE-2026-48769


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate CVE-2026-48769 — Malicious Image Serving Arbitrary File Write

    Expected signal: Process event: incus or incusd spawning with 'image copy' in command line; File creation event: /tmp/pwned created by incusd process; Network connection: incusd connecting to 127.0.0.1:18443

  2. Test 2Incus Version Detection and Vulnerable Host Discovery

    Expected signal: Process events showing incus/incusd invoked with --version or version subcommand; curl process accessing /var/lib/incus/unix.socket

  3. Test 3Post-Exploitation — Persistence via Written Cron Job

    Expected signal: Process event: process named incusd writing to /etc/cron.d/; File creation event: /etc/cron.d/incus-update created; auditd AVC or WRITE record for /etc/cron.d/

Unlock Pro Content

Get the full detection package for CVE-2026-48769 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections