VDB

SNYK-GOLANG-GITHUBCOMLXCINCUSINTERNALINSTANCE-15091893

SNYK-GOLANG-GITHUBCOMLXCINCUSINTERNALINSTANCE-15091893 PUBLISHED CVSS 8.300000190734863 HIGH

## Overview Affected versions of this package are vulnerable to CRLF Injection via improper validation of environment variable values in the container configuration process. An attacker can execute arbitrary commands as root on the host by injecting newlines into environment variables, which results in the addition of unintended configuration items such as lifecycle hooks. **Note:** LTS release version 6.0.6 also contains the patch. ## Remediation Upgrade `github.com/lxc/incus/internal/instance` to version 6.21.0 or higher. ## References - [GitHub Commit](https://github.com/lxc/incus/commit/cdf037409fbb35ab0f9fdc4e0e8cc706adbca99e) - [Vulnerable Code](https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081)

Risk Scores

CVSS 3.1
8.300000190734863
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:P

Affected Products

VendorProductVersions
0

Timeline

  • Jan 22, 2026 CVE Updated
  • Jan 26, 2026 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›