Local Privilege Escalation and Denial of Service Vulnerability in Incus by LXC
CVE-2026-33711

4.7MEDIUM

Key Information:

Vendor: Lxc
Status: Incus
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33711?

Incus, a system container and virtual machine manager, has a vulnerability that arises from its API used to retrieve VM screenshots. This API utilizes a temporary file for QEMU to generate a screenshot, which can be intercepted due to predictable paths in versions prior to 6.23.0. An attacker with local access may exploit this mechanism by pre-creating symlinks. While the majority of Linux systems will secure against this due to the protected_symlinks feature, any system with this security mechanism disabled becomes susceptible. This may lead to unauthorized access to alter file permissions, create denial of service conditions, or execute local privilege escalation attacks. Version 6.23.0 has been released to remedy this issue.

Affected Version(s)

incus < 6.23.0

References

https://github.com/lxc/incus/security/advisories/GHSA-q9v...

x_refsource_CONFIRM

CVSS V4

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33711 Data

JSON

Lxc

What is CVE-2026-33711?

Affected Version(s)

References

CVSS V4

Timeline