CVE-2026-40195 - Vulnerability Details

- Incus nil-pointer dereference in storage bucket import allows denial of service

Description

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.

Published: 2026-05-06

Score: 7.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A nil‑pointer dereference occurs in the backup metadata handling of Incus, allowing an authenticated user with bucket import privileges to crash the daemon by providing a malformed index.yaml that omits the required config block. This flaw is a classic null pointer dereference (CWE‑476) that terminates the service, rendering the system offline.

Affected Systems

Incus versions prior to 7.0.0 are affected. Users of the Incus system container and virtual machine manager who have access to the storage bucket import feature fall within the vulnerable scope.

Risk and Exploitability

The CVSS score is 7.1, indicating a high impact. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires authenticated access to the bucket import functionality; an attacker can repeatedly trigger the crash to maintain a denial of service condition.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

lxc

incus

affected

Version	Status	Constraints
`< 7.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Lxc

Incus

100%

Version	Status	Scheme	Platform
`[0,7.0.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Incus to version 7.0.0 or later.
Restrict storage bucket import privileges to trusted accounts until the patch is applied.
Ensure that any existing malformed index.yaml files are removed or corrected to prevent accidental daemon termination.

Generated by OpenCVE AI on May 6, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6244-1	incus security update
Github GHSA	GHSA-gc7j-g665-rxr9	Incus has a Nil-Pointer Dereference Panic via Bucket Metadata

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9

History

Wed, 06 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lxc Lxc incus
Vendors & Products		Lxc Lxc incus

Wed, 06 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
Title		Incus nil-pointer dereference in storage bucket import allows denial of service
Weaknesses		CWE-476
References		https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Lxc Incus

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-06T20:33:34.084Z

Updated: 2026-05-06T20:33:34.084Z

Reserved: 2026-04-09T20:59:17.620Z

Link: CVE-2026-40195

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T21:16:00.793

Modified: 2026-05-06T21:22:12.560

Link: CVE-2026-40195

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T23:00:14Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object