CVE-2025-64507

CVE-2025-64507

Name

CVE-2025-64507

Description

Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user. The most common case for this would be systems using `incus-user` with the less privileged `incus` group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges. A patch for this issue is expected in versions 6.0.6 and 6.19.0. As a workaround, permissions can be manually restricted until a patched version of Incus is deployed.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/lxc/incus/issues/2641
MISC	https://github.com/lxc/incus/pull/2642
CONFIRM	https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf

Type

URI

MISC

https://github.com/lxc/incus/issues/2641

MISC

https://github.com/lxc/incus/pull/2642

CONFIRM

https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf

Match rules

CPE URI	Source package	Min version	Max version
	incus	>= 0	< 6.0.6
	incus	>= 6.1.0	< 6.19.0
`cpe:2.3:a:linuxcontainers:incus::::::::`	incus	>= None	< 6.0.6

CPE URI

Source package

Min version

Max version

incus

>= 0

< 6.0.6

incus

>= 6.1.0

< 6.19.0

cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*

incus

>= None

< 6.0.6

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
incus	edge-community	6.0.5-r7	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r6	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r5	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r4	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r3	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r5	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r4	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r3	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r4	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r3	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.2-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r7	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r6	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r5	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r4	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.22-community	6.0.5-r3	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.22-community	6.0.5-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.22-community	6.0.5-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.22-community	6.0.5-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.22-community	6.0.4-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages