CVE-2025-64507

Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user. The most common case for this would be systems using `incus-user` with the less privileged `incus` group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges. A patch for this issue is expected in versions 6.0.6 and 6.19.0. As a workaround, permissions can be manually restricted until a patched version of Incus is deployed.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/lxc/incus/issues/2641	Exploit Issue Tracking Patch
https://github.com/lxc/incus/pull/2642	Exploit Issue Tracking Patch
https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf	Exploit Vendor Advisory Patch
https://github.com/lxc/incus/issues/2641	Exploit Issue Tracking Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:linuxcontainers:incus::::::::
	cpe:2.3:a:linuxcontainers:incus::::::::

History

No history.

Information

Published : 2025-11-10 22:15

Updated : 2025-12-29 16:29

NVD link : CVE-2025-64507

Mitre link : CVE-2025-64507

CVE.ORG link : CVE-2025-64507

JSON object : View

Products Affected

linuxcontainers

incus

CWE

CWE-269

Improper Privilege Management

NVD-CWE-noinfo

{"id": "CVE-2025-64507", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-10T22:15:39.460", "references": [{"url": "https://github.com/lxc/incus/issues/2641", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lxc/incus/pull/2642", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf", "tags": ["Exploit", "Vendor Advisory", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lxc/incus/issues/2641", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user. The most common case for this would be systems using `incus-user` with the less privileged `incus` group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges. A patch for this issue is expected in versions 6.0.6 and 6.19.0. As a workaround, permissions can be manually restricted until a patched version of Incus is deployed."}, {"lang": "es", "value": "Incus es un gestor de contenedores de sistema y m\u00e1quinas virtuales. Un problema en versiones anteriores a la 6.0.6 y 6.19.0 afecta a cualquier usuario de Incus en un entorno donde un usuario sin privilegios puede tener acceso root a un contenedor con un volumen de almacenamiento personalizado adjunto que tiene la propiedad 'security.shifted' establecida en 'true', as\u00ed como acceso al host como usuario sin privilegios. El caso m\u00e1s com\u00fan para esto ser\u00edan los sistemas que utilizan 'incus-user' con el grupo 'incus' menos privilegiado para proporcionar a los usuarios sin privilegios un acceso restringido y aislado a Incus. Dichos usuarios pueden ser capaces de crear un volumen de almacenamiento personalizado con la propiedad necesaria (dependiendo del soporte del kernel y del sistema de archivos) y luego pueden escribir un binario setuid desde dentro del contenedor que puede ser ejecutado como un usuario sin privilegios en el host para obtener privilegios de root. Se espera un parche para este problema en las versiones 6.0.6 y 6.19.0. Como soluci\u00f3n alternativa, los permisos pueden ser restringidos manualmente hasta que se implemente una versi\u00f3n parcheada de Incus."}], "lastModified": "2025-12-29T16:29:38.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22A65942-B80B-4A93-ADF9-AF639CE3C1BE", "versionEndExcluding": "6.0.6"}, {"criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6264E25B-FC10-461A-81EC-73D30BE1858E", "versionEndExcluding": "6.19.0", "versionStartIncluding": "6.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}