Fluid Attacks Database

Description

Incus vulnerable to local privilege escalation through VM screenshot path in github.com/lxc/incus Incus vulnerable to local privilege escalation through VM screenshot path in github.com/lxc/incus

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	incus	=6.0.4-2 \|\| =6.0.4-2+deb13u1 \|\| =6.0.4-2+deb13u1~bpo12+1 \|\| =6.0.4-2+deb13u2 \|\| =6.0.4-2+deb13u2~bpo12+1 \|\| =6.0.4-2+deb13u3 \|\| =6.0.4-2+deb13u3~bpo12+1 \|\| =6.0.4-2+deb13u4 \|\| =6.0.4-2+deb13u4~bpo12+1 \|\| =6.0.4-2+deb13u5 \|\| =6.0.4-2+deb13u5~bpo12+1 \|\| =6.0.4-2+deb13u6 \|\| =6.0.4-2+deb13u6~bpo12+1 \|\| =6.0.4-3 \|\| =6.0.5-1 \|\| =6.0.5-2 \|\| =6.0.5-3 \|\| =6.0.5-4 \|\| =6.0.5-5 \|\| =6.0.5-6 \|\| =6.0.5-7 \|\| =6.0.5-8 \|\| =6.0.6-1 \|\| =6.0.6-2 \|\| =6.0.6-3 \|\| =6.14.0-1~exp1 \|\| =6.15.0-1~exp1 \|\| =6.16.0-1~exp1 \|\| =6.17.0-1~exp1 \|\| =6.20.0-1~exp1 \|\| =6.21.0-1~exp1 \|\| =6.22.0-1~exp1 \|\| =6.23.0-1~exp1	-
debian 14	incus	=6.0.4-2 \|\| =6.0.4-3 \|\| =6.0.5-1 \|\| =6.0.5-2 \|\| =6.0.5-3 \|\| =6.0.5-4 \|\| =6.0.5-5 \|\| =6.0.5-6 \|\| =6.0.5-7 \|\| =6.0.5-8 \|\| =6.0.6-1 \|\| >=0 <6.0.6-2	6.0.6-2
go	github.com/lxc/incus/v6	>=0 <6.23.0	6.23.0
go	github.com/lxc/incus	-	-

Aliases

1. CVE-2026-337112. NVD-2026-337113. OSV-DEBIAN-2026-337114. OSV-2026-337115. OSV-GO-2026-48856. GHSA-q9vp-3wcg-8p4x7. GCVE-2026-337118. SECURITY-TRACKER-CVE-2026-337119. GHSA-q9vp-3wcg-8p4x

References

1. https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x2. https://github.com/lxc/incus/commit/ef006240ac2475ddea7b8406cecc7dbd1a883fdf3. https://github.com/lxc/incus/releases/tag/v6.23.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.