Incus virtual machine and container managers are vulnerable to a critical privilege escalation where an attacker can write arbitrary files as root on the host server, leading to full system compromise.

The vulnerability exists in the handling of systemd.credential configuration keys. Because Incus allows periods in credential names, an attacker can use traversal sequences (e.g., ../../../root/.bashrc) to escape the intended directory and write files to the host filesystem with root privileges.

A successful exploit allows an attacker with instance configuration privileges to escalate to root on the host server. This can result in a total loss of host integrity, permanent denial of service, or the ability to compromise all other instances running on the same hardware. The CVSS score of 9.9 highlights the extreme severity of this host-escape scenario.

Immediate Action: Update Incus to version 6.23.0 or later to patch the configuration key parsing logic.

Proactive Monitoring: Audit instance configuration logs for any keys containing suspicious path traversal patterns or excessive use of periods in systemd.credential fields.

Compensating Controls: Limit the ability to modify instance configurations to highly trusted administrators and use mandatory access control (MAC) systems like AppArmor to restrict where the Incus daemon can write files.

Public Exploit Available: false

Host-escape vulnerabilities in virtualization platforms are among the most critical security risks. Administrators must apply the version 6.23.0 update immediately to prevent instance-to-host privilege escalation.