SNYK-GOLANG-GITHUBCOMLXCINCUSINTERNALINSTANCE-15091893
## Overview Affected versions of this package are vulnerable to CRLF Injection via improper validation of environment variable values in the container configuration process. An attacker can execute arbitrary commands as root on the host by injecting newlines into environment variables, which results in the addition of unintended configuration items such as lifecycle hooks. **Note:** LTS release version 6.0.6 also contains the patch. ## Remediation Upgrade `github.com/lxc/incus/internal/instance` to version 6.21.0 or higher. ## References - [GitHub Commit](https://github.com/lxc/incus/commit/cdf037409fbb35ab0f9fdc4e0e8cc706adbca99e) - [Vulnerable Code](https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Jan 22, 2026 CVE Updated
- Jan 26, 2026 CVE Published
References
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMLXCINCUSINTERNALINSTANCE-15091893 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://github.com/lxc/incus/commit/cdf037409fbb35ab0f9fdc4e0e8cc706adbca99e patch
- https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081 technical