THE Incus team has released version 7.2.0 to patch six critical vulnerabilities (scoring 9.9 on the CVSS scale) that allow for file writes at the root level, potentially leading to command execution. These flaws, affecting all versions prior to v7.2.0, predominantly exploit crafted images and backups. Key vulnerabilities include: CVE-2026-48749 (unsanitized symlinks allowing host file access), CVE-2026-48750 (abusive symlink for file placement), and CVE-2026-48769 (forged image-hash header for root writes).
The vulnerabilities pose significant risks, especially in multi-tenant environments. Users are advised to upgrade to v7.2.0 immediately and to avoid untrusted images and backups until patched.