CVE-2026-40197

CVE-2026-40197

Name

CVE-2026-40197

Description

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup import subsystem contains a nil-pointer dereference vulnerability during import operations. In the snapshot import loop, the daemon iterates over entries from `srcBackup.Config.VolumeSnapshots` and assumes that each slice element is initialized, then dereferences fields such as `Name`, `Config`, `Description`, `CreatedAt`, and `ExpiresAt` without first validating the element itself. Because the yaml unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes a nil-pointer dereference during custom volume import and terminates the daemon, resulting in denial of service on the affected node. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/lxc/incus/security/advisories/GHSA-r7w7-mmxr-47r9

Type

URI

security-advisories@github.com

https://github.com/lxc/incus/security/advisories/GHSA-r7w7-mmxr-47r9

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:linuxcontainers:incus::::::::`	incus	>= None	< 7.0.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*

incus

>= None

< 7.0.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
incus-feature	edge-community	7.0.0-r0	Leonardo Arena <rnalrd@alpinelinux.org>	fixed
incus	edge-community	7.0.0-r0	Leonardo Arena <rnalrd@alpinelinux.org>	fixed
incus	edge-community	6.0.6-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.6-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r9	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r8	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r7	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r6	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r5	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r4	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r3	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.5-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r5	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r4	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r3	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.4-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r4	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r3	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.3-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	edge-community	6.0.2-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.6-r2	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.6-r1	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.6-r0	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r8	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r7	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r6	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r5	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable
incus	3.23-community	6.0.5-r4	Leonardo Arena <rnalrd@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

incus-feature

edge-community

7.0.0-r0

Leonardo Arena <rnalrd@alpinelinux.org>

fixed

References

Match rules

Vulnerable and fixed packages