Newline Injection Vulnerability in Incus Container Manager
CVE-2026-23953

8.7HIGH

Key Information:

Vendor

Lxc

Status
Incus
Vendor
CVE Published:
22 January 2026

What is CVE-2026-23953?

Incus, a system container and virtual machine manager, is vulnerable to newline injection in versions 6.20.0 and below. Users with permissions to launch containers using custom YAML configurations can introduce carriage returns into environment variables, allowing them to alter the container's lxc.conf. This ability can lead to the execution of arbitrary code on the host by leveraging additional configuration items and lifecycle hooks. Users are advised to be cautious and monitor their environments until the planned security updates in versions 6.0.6 and 6.21.0 are released.

Affected Version(s)

incus >= 6.1.0, <= 6.20.0 <= 6.1.0, 6.20.0

incus <= 6.0.5 <= 6.0.5

References

https://github.com/lxc/incus/security/advisories/GHSA-x6j...
x_refsource_CONFIRM
https://github.com/lxc/incus/blob/HEAD/internal/server/in...
x_refsource_MISC
https://github.com/user-attachments/files/24473682/enviro...
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.