x/vulndb: potential Go vuln in github.com/lxc/incus: GHSA-56mx-8g9f-5crf #4115
Description
Advisory GHSA-56mx-8g9f-5crf references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/lxc/incus |
Description:
Impact
This affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the security.shifted property set to true as well as access to the host as an unprivileged user.
The most common case for this would be systems using incus-user with the less privileged incus group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a...
References:
- ADVISORY: GHSA-56mx-8g9f-5crf
- ADVISORY: GHSA-56mx-8g9f-5crf
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-64507
- FIX: Tighten storage pool permissions lxc/incus#2642
- REPORT: Local privilege escalation: a local unprivileged user in a restricted project may obtain host root privileges under certain conditions. lxc/incus#2641
Cross references:
- github.com/lxc/incus appears in 2 other report(s):
- data/reports/GO-2025-3781.yaml (x/vulndb: potential Go vuln in github.com/lxc/incus/v6: GHSA-9q7c-qmhm-jv86 #3781)
- data/reports/GO-2025-3782.yaml (x/vulndb: potential Go vuln in github.com/lxc/incus/v6: GHSA-p7fw-vjjm-2rwp #3782)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/lxc/incus
non_go_versions:
- introduced: TODO (earliest fixed "", vuln range ">= 6.1.0, <= 6.18.0")
vulnerable_at: 0.7.0
summary: Incus vulnerable to local privilege escalation through custom storage volumes in github.com/lxc/incus
cves:
- CVE-2025-64507
ghsas:
- GHSA-56mx-8g9f-5crf
references:
- advisory: https://github.com/advisories/GHSA-56mx-8g9f-5crf
- advisory: https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-64507
- fix: https://github.com/lxc/incus/pull/2642
- report: https://github.com/lxc/incus/issues/2641
notes:
- fix: 'module merge error: could not merge versions of module github.com/lxc/incus: invalid or non-canonical semver version (found TODO (earliest fixed "", vuln range ">= 6.1.0, <= 6.18.0"))'
source:
id: GHSA-56mx-8g9f-5crf
created: 2025-11-13T17:01:04.591268387Z
review_status: UNREVIEWED