CVE-2026-33945 — AI Deep Analysis Summary

🚨 **Essence**: Path Traversal in **Incus** (LXC manager). Attackers use crafted config keys to write outside the `credentials` directory. 💥 **Consequences**: Privilege Escalation & Denial of Service (DoS).…

🛡️ **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory. The flaw lies in insufficient validation of configuration keys, allowing directory traversal sequences to escape the intended sandbox.

📦 **Vendor**: LXC. **Product**: Incus. **Affected**: Versions **prior to 6.23.0**. If you are running 6.22.x or earlier, you are at risk! 📅 Published: 2026-03-26.

💀 **Impact**: High! CVSS Vector indicates **Complete** impact on Confidentiality, Integrity, and Availability. Hackers can potentially escalate privileges to root and disrupt services via DoS.

🔑 **Threshold**: Medium. Requires **Low Privileges** (PR:L) and **Low Complexity** (AC:L). No user interaction needed (UI:N). Network accessible (AV:N). You need some access to set config keys.

🕵️ **Exploit Status**: No public PoC listed in the data (`pocs: []`). However, the advisory is confirmed via GitHub GHSA. Wild exploitation is likely imminent given the low barrier to entry.

🔍 **Self-Check**: Scan for Incus versions < 6.23.0. Check if configuration keys allow directory traversal characters (`../`). Monitor for unauthorized file writes outside the `credentials` directory.

✅ **Fix**: Yes! Upgrade to **Incus 6.23.0** or later. Official advisory available at: `https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f`.

🚧 **Workaround**: If patching is delayed, restrict network access to the Incus API. Strictly validate and sanitize all configuration inputs. Limit user privileges to prevent config modification.

🔥 **Priority**: **CRITICAL**. High CVSS score + Network Access + Low Auth Requirement = Urgent patching required. Do not ignore this! 🏃‍♂️💨