MidnightBSD

Advisories for linuxcontainers

CVE-2013-6441 HIGH

The lxc-sshd template (templates/lxc-sshd.in) in LXC before 1.0.0.beta2 uses read-write permissions when mounting /sbin/init, which allows local users to gain privileges by modifying the init file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
linuxcontainers lxc 0.3.0
linuxcontainers lxc 0.5.0
linuxcontainers lxc 0.6.2
linuxcontainers lxc 0.7.2
linuxcontainers lxc 0.2.1
linuxcontainers lxc 0.7.3
linuxcontainers lxc 0.6.1
linuxcontainers lxc 0.8.0
linuxcontainers lxc 0.4.0
linuxcontainers lxc 0.7.1
linuxcontainers lxc 0.7.5
linuxcontainers lxc 0.5.1
linuxcontainers lxc 0.6.4
linuxcontainers lxc 0.2.0
linuxcontainers lxc 0.7.4.1
linuxcontainers lxc 0.6.0
linuxcontainers lxc 0.6.3
linuxcontainers lxc 0.1.0
linuxcontainers lxc 0.7.0
linuxcontainers lxc 0.5.2
linuxcontainers lxc 0.7.4
linuxcontainers lxc *
linuxcontainers lxc 0.7.4.2
linuxcontainers lxc 0.6.5
CVE-2014-1425 LOW

cmanager 0.32 does not properly enforce nesting when modifying cgroup properties, which allows local users to set cgroup values for all cgroups via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.10
canonical ubuntu_linux 14.04
linuxcontainers cgmanager 0.32
CVE-2015-1331 MEDIUM

lxclock.c in LXC 1.1.2 and earlier allows local users to create arbitrary files via a symlink attack on /run/lock/lxc/*.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
linuxcontainers lxc *
CVE-2015-1334 MEDIUM

attach.c in LXC 1.1.2 and earlier uses the proc filesystem in a container, which allows local container users to escape AppArmor or SELinux confinement by mounting a proc filesystem with a crafted (1) AppArmor profile or (2) SELinux label.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-17,

Products Affected

Vendor Product Version
linuxcontainers lxc *
CVE-2015-1335 HIGH

lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-59,

Products Affected

Vendor Product Version
linuxcontainers lxc 1.1.2
linuxcontainers lxc 1.1.3
linuxcontainers lxc *
canonical ubuntu_linux 15.04
linuxcontainers lxc 1.1.1
canonical ubuntu_linux 14.04
linuxcontainers lxc 1.1.0
CVE-2015-1340 MEDIUM

LXD before version 0.19-0ubuntu5 doUidshiftIntoContainer() has an unsafe Chmod() call that races against the stat in the Filepath.Walk() function. A symbolic link created in that window could cause any file on the system to have any mode of the attacker's choice.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
linuxcontainers lxd -
CVE-2016-10124 MEDIUM

An issue was discovered in Linux Containers (LXC) before 2016-02-22. When executing a program via lxc-attach, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the container.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
linuxcontainers lxc *
CVE-2016-8649 HIGH

lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat() family of syscalls.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
linuxcontainers lxc *
CVE-2017-18641 HIGH

In LXC 2.0, many template scripts download code over cleartext HTTP, and omit a digital-signature check, before running it to bootstrap containers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
linuxcontainers lxc 2.0.0
CVE-2017-5985 LOW

lxc-user-nic in Linux Containers (LXC) allows local users with a lxc-usernet allocation to create network interfaces on the host and choose the name of those interfaces by leveraging lack of netns ownership check.

CVSS 2.0

Severity: LOW

Problem Type: CWE-862,

Products Affected

Vendor Product Version
linuxcontainers lxc *
CVE-2018-6556 LOW

lxc-user-nic when asked to delete a network interface will unconditionally open a user provided path. This code path may be used by an unprivileged user to check for the existence of a path which they wouldn't otherwise be able to reach. It may also be used to trigger side effects by causing a (read-only) open of special kernel files (ptmx, proc, sys). Affected releases are LXC: 2.0 versions above and including 2.0.9; 3.0 versions above and including 3.0.0, prior to 3.0.2.

CVSS 2.0

Severity: LOW

Problem Type: CWE-417,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
suse caas_platform 2.0
opensuse leap 15.0
suse suse_linux_enterprise_server 11
linuxcontainers lxc *
suse openstack_cloud 6
suse caas_platform 1.0
CVE-2019-5736 HIGH

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
opensuse leap 42.3
fedoraproject fedora 30
microfocus service_management_automation 2018.08
opensuse leap 15.0
opensuse leap 15.1
fedoraproject fedora 29
linuxfoundation runc *
redhat openshift 3.4
canonical ubuntu_linux 16.04
apache mesos *
redhat openshift 3.7
redhat container_development_kit 3.7
microfocus service_management_automation 2018.11
google kubernetes_engine -
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 19.04
redhat openshift 3.6
d2iq kubernetes_engine *
microfocus service_management_automation 2018.05
docker docker *
opensuse backports_sle 15.0
redhat enterprise_linux 8.0
canonical ubuntu_linux 18.04
netapp solidfire -
netapp hci_management_node -
redhat openshift 3.5
hp onesphere -
canonical ubuntu_linux 18.10
linuxcontainers lxc *
d2iq dc/os *
linuxfoundation runc 1.0.0
microfocus service_management_automation 2018.02
CVE-2022-47952

lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist.

Products Affected

Vendor Product Version
linuxcontainers lxc *
CVE-2025-64507

Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user. The most common case for this would be systems using `incus-user` with the less privileged `incus` group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges. A patch for this issue is expected in versions 6.0.6 and 6.19.0. As a workaround, permissions can be manually restricted until a patched version of Incus is deployed.

Products Affected

Vendor Product Version
linuxcontainers incus *
CVE-2026-23953

Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.7 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N 2.3 5.8

Products Affected

Vendor Product Version
linuxcontainers incus *
CVE-2026-23954

Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.7 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N 2.3 5.8

Products Affected

Vendor Product Version
linuxcontainers incus *
CVE-2026-33542

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

Products Affected

Vendor Product Version
linuxcontainers incus *
CVE-2026-33711

Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
linuxcontainers incus *
CVE-2026-33743

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
linuxcontainers incus *
CVE-2026-33897

Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instance lifecycle to template files inside of the instance. This particular implementation of pongo2 within Incus allowed for file read/write but with the expectation that the pongo2 chroot feature would isolate all such access to the instance's filesystem. This was allowed such that a template could theoretically read a file and then generate a new version of said file. Unfortunately the chroot isolation mechanism is entirely skipped by pongo2 leading to easy access to the entire system's filesystem with root privileges. Version 6.23.0 patches the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
linuxcontainers incus *