Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service to Incus control plane API
Action: Patch Now
AI Analysis

Impact

A specially crafted storage bucket backup file can cause the Incus daemon to crash. Repeated use results in a denial of service to the Incus control plane API, while existing containers and virtual machines continue to operate normally. The vulnerability does not affect in‑use workloads but disrupts management and orchestration functions.

Affected Systems

The issue affects the Incus container and virtual machine manager from vendor lxc, versions prior to 6.23.0. These systems expose a storage bucket backup capability that an authenticated user can exploit.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Since the exploit requires only crafted backup operations, it is relatively easy for a user with storage bucket privileges to execute. Because the attack does not involve remote code execution or privilege escalation, it is confined to causing service disruption rather than compromising system security. The vulnerability is not listed in CISA's KEV catalog and EPSS is not available, but the impact on management availability makes it significant for environments relying on Incus for orchestration.

Generated by OpenCVE AI on March 27, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Incus to version 6.23.0 or later
  • Restrict access to the storage bucket backup feature until a patch is applied

Generated by OpenCVE AI on March 27, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
Title Incus vulnerable to denial of source through crafted bucket backup file
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:53:39.299Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33743

cve-icon Vulnrichment

Updated: 2026-03-27T13:27:39.027Z

cve-icon NVD

Status : Received

Published: 2026-03-26T23:16:20.583

Modified: 2026-03-27T15:16:56.990

Link: CVE-2026-33743

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T22:40:07Z

Links: CVE-2026-33743 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:53Z

Weaknesses