Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service of the Incus control plane API
Action: Patch Now
AI Analysis

Impact

A specially crafted storage‑bucket backup file can cause the Incus daemon to crash. The crash disables the control plane API, resulting in a denial of service for users. The failure does not affect already‑running containers or virtual machines, and the loss of service can persist until the daemon is restarted. The weakness arises from improper handling of user‑supplied data and unchecked memory allocation, corresponding to CWE‑1286 and CWE‑770.

Affected Systems

The vulnerability affects LinuxContainers’ Incus system container and virtual machine manager, all releases older than version 6.23.0. Any user who can access the storage‑bucket feature – either locally or remotely – can trigger the crash. The issue is limited to the Incus daemon; the underlying workloads are unaffected.

Risk and Exploitability

The CVSS base score of 6.5 indicates medium severity. The EPSS score of less than 1 % suggests a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to submit a crafted backup via the storage‑bucket API, which typically requires user privileges. Repeated use can keep the control plane offline, but the impact is confined to service availability rather than confidentiality or integrity.

Generated by OpenCVE AI on March 30, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Incus version 6.23.0 or later to eliminate the vulnerability
  • Restrict or disable the storage‑bucket feature for users who do not require it
  • Revoke or suspend untrusted users’ permissions to create or upload bucket backups until a patch is applied
  • Monitor Incus daemon logs for crashes and implement automated restart procedures if feasible

Generated by OpenCVE AI on March 30, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6184-1 incus security update
Github GHSA Github GHSA GHSA-vg76-xmhg-j5x3 Incus vulnerable to denial of source through crafted bucket backup file
History

Mon, 30 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxcontainers
Linuxcontainers incus
CPEs cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
Vendors & Products Linuxcontainers
Linuxcontainers incus

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
Title Incus vulnerable to denial of source through crafted bucket backup file
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Linuxcontainers Incus
Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:53:39.299Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33743

cve-icon Vulnrichment

Updated: 2026-03-27T13:27:39.027Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T23:16:20.583

Modified: 2026-03-30T18:54:51.560

Link: CVE-2026-33743

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T22:40:07Z

Links: CVE-2026-33743 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:24Z

Weaknesses