Privilege Escalation in Incus: Container Management Software by LXD
CVE-2025-64507

8.6HIGH

Key Information:

Vendor

Lxc

Status
Incus
Vendor
CVE Published:
10 November 2025

What is CVE-2025-64507?

A vulnerability in Incus, a system container and virtual machine manager, allows unprivileged users to gain root access. This occurs when an unprivileged user inappropriately utilizes a custom storage volume with the security.shifted property set to true. Particularly in configurations where such users are provided restricted access to Incus using the incus group, they might create a custom storage volume that enables the execution of a setuid binary on the host system. As a result, users could escalate their privileges, posing significant security risks. A patch addressing this issue is anticipated in versions 6.0.6 and 6.19.0; until then, administrators are advised to manually restrict permissions to mitigate the risk.

Affected Version(s)

incus < 6.0.6 < 6.0.6

incus >= 6.1.0, < 6.19.0 < 6.1.0, 6.19.0

References

https://github.com/lxc/incus/security/advisories/GHSA-56m...
x_refsource_CONFIRM
https://github.com/lxc/incus/issues/2641
x_refsource_MISC
https://github.com/lxc/incus/pull/2642
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64507 : Privilege Escalation in Incus: Container Management Software by LXD