CVE-2026-33897 — AI Deep Analysis Summary

🚨 **Essence**: Incus < 6.23.0 has a **template bypass** flaw. 📉 **Consequences**: Attackers can escape **chroot isolation**, leading to **arbitrary read/write** access on the host system. Critical integrity loss!

🛡️ **CWE**: CWE-1336 (Improper Handling of Insufficiently Specified Resource).…

🏢 **Vendor**: LXC (Incus). 📦 **Product**: Incus. ⚠️ **Affected**: Versions **prior to 6.23.0**. If you are running 6.22.x or older, you are vulnerable!

💀 **Privileges**: Escalates from container user to **Host Root**. 📂 **Data**: Full **arbitrary read/write** capabilities. Hackers can steal data, modify system files, or pivot to other containers. Total compromise!

🔑 **Auth**: Requires **Low Privileges** (PR:L). 🌐 **Network**: Attackable over **Network** (AV:N). 🚫 **UI**: No User Interaction needed (UI:N). Threshold is **LOW** for authenticated users.

📜 **Public Exp**: No PoC provided in data. 🌍 **Wild Exp**: Unconfirmed. However, the CVSS score is **Critical (9.8)**, implying high exploitability potential once discovered. Stay alert!

🔍 **Check**: Scan for Incus version < 6.23.0. 📝 **Feature**: Look for custom **instance templates** using pongo2 syntax. If templates are user-controllable, risk is HIGH.

✅ **Fixed**: Yes! Upgrade to **Incus 6.23.0** or later. 📥 **Patch**: Official advisory available at GitHub Security Advisories (GHSA-83xr-5xxr-mh92).

🚧 **Workaround**: If patching is delayed, **restrict template creation** to trusted admins only. 🛑 **Disable** user-defined pongo2 templates in instance configs until upgraded.

🔥 **Urgency**: **CRITICAL**. CVSS 9.8 means immediate action required. 🏃 **Action**: Patch to v6.23.0 **NOW**. Do not wait for an exploit to appear!