Detect CVE-2026-48769 — Incus Arbitrary File Write via Trusted Image Hash in Splunk
Detects exploitation of CVE-2026-48769, a critical arbitrary file write vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.2.0. The flaw arises from improper validation (CWE-20) of image hashes during image pull operations, allowing a malicious or compromised image source to write arbitrary files on the Incus client host system. With a CVSS score of 9.9 and public PoC available, this vulnerability is actively exploitable and may lead to full host compromise, container escape, or persistence via overwritten system binaries or configuration files.
MITRE ATT&CK
SPL Detection Query
index=endpoint sourcetype IN ("xmlwineventlog", "linux_secure", "sysmon", "auditd")
| eval proc=lower(coalesce(process_name, process))
| where proc IN ("incus", "incusd")
| eval cmd=coalesce(process, CommandLine, command)
| where match(cmd, "(image\s+copy|image\s+pull|image\s+import|launch)")
| eval evt_time=_time
| join type=inner DeviceId
[search index=endpoint sourcetype IN ("sysmon", "auditd", "linux_secure")
| eval proc=lower(coalesce(process_name, process))
| where proc IN ("incus", "incusd")
| eval filepath=coalesce(TargetFilename, file_path, object)
| where match(filepath, "^(/etc/|/usr/bin/|/usr/sbin/|/bin/|/sbin/|/lib/|/root/|/home/)")
| where EventCode IN ("11", "2") OR type IN ("write", "create")
| eval write_time=_time
| where (write_time - evt_time) >= 0 AND (write_time - evt_time) <= 300
| table DeviceId, filepath, write_time]
| table _time, host, user, cmd, filepath, write_time
| sort -_time Detects Incus process initiating image operations followed within 5 minutes by file write events to sensitive host filesystem paths, indicating potential exploitation of CVE-2026-48769.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Incus writing image metadata to /var/lib/incus or other configured storage paths
- Package managers invoked alongside incus operations writing to /usr/bin during maintenance windows
- Custom incus hooks or scripts that legitimately modify host configuration files
Other platforms for CVE-2026-48769
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate CVE-2026-48769 — Malicious Image Serving Arbitrary File Write
Expected signal: Process event: incus or incusd spawning with 'image copy' in command line; File creation event: /tmp/pwned created by incusd process; Network connection: incusd connecting to 127.0.0.1:18443
- Test 2Incus Version Detection and Vulnerable Host Discovery
Expected signal: Process events showing incus/incusd invoked with --version or version subcommand; curl process accessing /var/lib/incus/unix.socket
- Test 3Post-Exploitation — Persistence via Written Cron Job
Expected signal: Process event: process named incusd writing to /etc/cron.d/; File creation event: /etc/cron.d/incus-update created; auditd AVC or WRITE record for /etc/cron.d/
Unlock Pro Content
Get the full detection package for CVE-2026-48769 including response playbook, investigation guide, and atomic red team tests.