Description
Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup import subsystem contains a nil-pointer dereference vulnerability during import operations. In the snapshot import loop, the daemon iterates over entries from `srcBackup.Config.VolumeSnapshots` and assumes that each slice element is initialized, then dereferences fields such as `Name`, `Config`, `Description`, `CreatedAt`, and `ExpiresAt` without first validating the element itself. Because the yaml unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes a nil-pointer dereference during custom volume import and terminates the daemon, resulting in denial of service on the affected node. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
Published: 2026-05-06
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a nil‑pointer dereference in the custom volume import subsystem of Incus, a container and virtual machine manager. During an import of a backup archive that contains a null entry in the volume_snapshots array, the daemon blindly accesses fields such as Name, Config, Description, CreatedAt, and ExpiresAt on a pointer that was not initialized. This causes the Incus daemon to crash, making the node unavailable to legitimate users. The weakness is a classic null‑pointer dereference, which the CNA classifies as CWE‑476.

Affected Systems

Affecting all Incus installations running a version older than 7.0.0. The issue has been corrected in 7.0.0, so any system using 7.0.0 or later is safe. Until an upgrade can be performed, the vulnerability remains in any system that allows authenticated users to import custom volume backups.

Risk and Exploitability

The CVSS base score is 7.1, indicating a moderate‑to‑high severity. The exploit requires a user with permission to import storage volumes, so an authenticated adversary with such privileges can trigger it. The vulnerability is not listed in the CISA KEV catalog, and no EPSS data is available, so the exploitation probability is unknown. The denial of service can be repeated, potentially keeping an affected node offline for extended periods. The impact is therefore a system availability loss that could disrupt services relying on Incus.

Generated by OpenCVE AI on May 6, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Incus installation to version 7.0.0 or newer, which removes the invalid dereference logic.
  • If an immediate upgrade is not possible, restrict backup import operations to highly trusted users and pre‑validate any backup archives to ensure the volume_snapshots array contains no null entries before invoking the import process.
  • After applying the fix or working‑around, monitor the Incus logs for unexpected crashes and configure the daemon to restart automatically to maintain service continuity.

Generated by OpenCVE AI on May 6, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6244-1 incus security update
Debian DSA Debian DSA DSA-6247-1 lxd security update
Github GHSA Github GHSA GHSA-r7w7-mmxr-47r9 Incus has a Nil-Pointer Dereference via Custom Volume Import
History

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup import subsystem contains a nil-pointer dereference vulnerability during import operations. In the snapshot import loop, the daemon iterates over entries from `srcBackup.Config.VolumeSnapshots` and assumes that each slice element is initialized, then dereferences fields such as `Name`, `Config`, `Description`, `CreatedAt`, and `ExpiresAt` without first validating the element itself. Because the yaml unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes a nil-pointer dereference during custom volume import and terminates the daemon, resulting in denial of service on the affected node. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
Title Incus nil-pointer dereference in custom volume import allows denial of service
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T20:36:24.000Z

Reserved: 2026-04-09T20:59:17.621Z

Link: CVE-2026-40197

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T21:16:00.930

Modified: 2026-05-06T21:22:12.560

Link: CVE-2026-40197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses