N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64507

GHSA ID

GHSA-56mx-8g9f-5crf

EPSS Score

0.01487%

CWE

CWE-269

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64507

CVE-2025-64507: Incus vulnerable to local privilege escalation through custom storage volumes

Impact

This affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the security.shifted property set to true as well as access to the host as an unprivileged user.

The most common case for this would be systems using incus-user with the less privileged incus group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unpriivleged user on the host to gain root privileges.

Patches

A patch for this issue is available here: https://github.com/lxc/incus/pull/2642

The first commit changes the permissions for any new storage pool, the second commit applies it on startup to all existing storage pools.

Workarounds

Permissions can be manually restricted until a patched version of Incus is deployed.

This is done with:

chmod 0700 /var/lib/incus/storage-pools/*/*
chmod 0711 /var/lib/incus/storage-pools/*/buckets*
chmod 0711 /var/lib/incus/storage-pools/*/container*

Those are the same permissions which will be applied by the patched Incus for both new and existing storage pools.

References

This was reported publicly on Github: https://github.com/lxc/incus/issues/2641

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64507

CVE-2025-64507:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64507

GHSA ID

GHSA-56mx-8g9f-5crf

EPSS Score

0.01487%

CWE

CWE-269

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions
github.com/lxc/incus/v6	go	>= 6.1.0, <= 6.18.0
github.com/lxc/incus/v6	go	<= 6.0.6
github.com/lxc/incus	go	<= 0.7.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a local privilege escalation in Incus caused by overly permissive directory permissions on storage pools, particularly affecting custom storage volumes. The analysis of the provided patches pinpoints the root cause and the functions involved.

The first commit, b0c6c0bac42c6ac27d536984cc043a6ec02b9e7c, reveals the core of the vulnerability. The function backend.createStorageStructure in internal/server/storage/backend.go was creating storage directories with a hardcoded 0o711 permission. This mode is too permissive for custom volumes, allowing unprivileged users on the host to traverse the directory and execute files, leading to privilege escalation if a setuid binary is present. The patch modifies this function to use specific modes for each volume type, tightening security by applying 0o700 to custom volumes.

The second commit, 3abdc12cf6a8dce391d28d340a32c137125357dd, introduces a new function, patchDefaultStoragePermissions, in cmd/incusd/patches.go. This function runs at startup to recursively apply the correct permissions to all existing storage pools. This serves as a mitigation for systems that already have storage pools with the incorrect permissions. The existence of this patch function confirms that the vulnerability was in the initial creation of the directories.

Therefore, backend.createStorageStructure is the primary vulnerable function, as it is executed when a new storage volume is created, which is the action that triggers the vulnerable condition. The patchDefaultStoragePermissions function is a key part of the fix and indicates that the vulnerability was actively being corrected in existing deployments.

Vulnerable functions

backend.createStorageStructure

internal/server/storage/backend.go

This function is responsible for creating the directory structure for storage pools. The original code used a hardcoded and overly permissive file mode (0o711) for all directory types, including custom storage volumes. This allowed an unprivileged user on the host to access and execute files within a container's custom storage volume. An attacker could place a setuid binary in the volume from within a container and then execute it on the host to gain root privileges. The patch fixes this by using specific, more restrictive modes defined for each volume type.

patchDefaultStoragePermissions

cmd/incusd/patches.go

This function was added as a mitigation to fix the permissions of existing storage pools upon daemon startup. It iterates through all storage pools and applies the correct, more restrictive file modes to the volume directories. While not the function that introduces the vulnerability, its addition in the patch confirms that the permissions were previously incorrect and needed to be corrected on existing systems. It is a runtime indicator of the fix being applied.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64507: Incus vulnerable to local privilege escalation through custom storage volumes

Impact

Patches

Workarounds

References

CVE-2025-64507:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-64507: Incus vulnerable to local privilege escalation through custom storage volumes

Impact

Patches

Workarounds

References

N/A

N/A

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI