Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN794
_____________________________________________________________________

DATE                : 14/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running incus versions prior
                                to 6.19, 6.0.6.

=====================================================================
https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf
_____________________________________________________________________


Local privilege escalation through custom storage volumes
High
stgraber published GHSA-56mx-8g9f-5crf Nov 10, 2025

Package
github.com/lxc/incus/v6/cmd/incusd (Go)

Affected versions
< 6.19, < 6.0.6

Patched versions
6.19, 6.0.6


Description

Impact

This affects any Incus user in an environment where an unprivileged
user may have root access to a container with an attached custom
storage volume that has the security.shifted property set to true
as well as access to the host as an unprivileged user.

The most common case for this would be systems using incus-user
with the less privileged incus group to provide unprivileged users
with an isolated restricted access to Incus. Such users may be able
to create a custom storage volume with the necessary property
(depending on kernel and filesystem support) and can then write a
setuid binary from within the container which can be executed as
an unpriivleged user on the host to gain root privileges.


Patches

A patch for this issue is available here: #2642

The first commit changes the permissions for any new storage
pool, the second commit applies it on startup to all existing
storage pools.


Workarounds

Permissions can be manually restricted until a patched version
of Incus is deployed.

This is done with:

chmod 0700 /var/lib/incus/storage-pools/*/*
chmod 0711 /var/lib/incus/storage-pools/*/buckets*
chmod 0711 /var/lib/incus/storage-pools/*/container*

Those are the same permissions which will be applied by the
patched Incus for both new and existing storage pools.


References

This was reported publicly on Github by here: #2641

Severity
High
8.6/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Local
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2025-64507

Weaknesses
No CWEs


Credits

    @abdodz1234 abdodz1234 Reporter
    @stgraber stgraber Remediation developer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================