Description
Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bounds panic vulnerability caused by an invalid bounds check when indexing snapshot metadata arrays, and the same flawed pattern also appears in the migration path. When iterating through physical snapshots provided in a backup archive, the loop uses the index to look up corresponding metadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots` slices. The guard condition `len(slice) >= i-1` is incorrect because it can still evaluate to true when the subsequent slice[i] access is out of bounds.

An attacker can submit a backup archive that contains physical snapshot directories while supplying a tampered `index.yaml` with an empty or truncated snapshot metadata array, causing the daemon to index beyond the end of the metadata slice and crash. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
Published: 2026-05-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incus, a system container and virtual machine manager, contains an out‑of‑bounds panic in its snapshot metadata handling. The flaw arises from an incorrect bounds check when indexing snapshot metadata arrays during backup import and migration. An attacker who can submit a backup archive with a tampered index file that does not contain the expected metadata entries causes the daemon to access beyond the end of a slice and crash. Repeated exploitation can keep the service unavailable, resulting in a denial‑of‑service attack. The vulnerability is classified as CWE‑129: Improper Validation of Array Index.

Affected Systems

The issue affects LXC Incus versions prior to 7.0.0. Users who have enabled the storage volume feature and can request the backup/restore interface are potentially vulnerable. The flaw is fixed in version 7.0.0 and later.

Risk and Exploitability

The CVSS v3 score of 7.1 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The attack path requires authenticated access to the Incus backup/restore functionality, making the likely vector an authenticated vulnerability. Successful exploitation causes the daemon to crash, leading to denial of service. Applying the patch removes the crash vector and restores normal operation.

Generated by OpenCVE AI on May 6, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Incus 7.0.0 or later, which contains the index bounds check fix
  • If upgrading is not possible, restrict the ability to submit backup archives to trusted users only and consider disabling the backup/restore feature until a patch is applied
  • Deploy monitoring to detect and alert on repeated Incus daemon crashes, and isolate the service to limit service disruption

Generated by OpenCVE AI on May 6, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6244-1 incus security update
Debian DSA Debian DSA DSA-6247-1 lxd security update
Github GHSA Github GHSA GHSA-4m88-wxj4-9qj6 Incus Vulnerable to Panic via Snapshot Bounds Check
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bounds panic vulnerability caused by an invalid bounds check when indexing snapshot metadata arrays, and the same flawed pattern also appears in the migration path. When iterating through physical snapshots provided in a backup archive, the loop uses the index to look up corresponding metadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots` slices. The guard condition `len(slice) >= i-1` is incorrect because it can still evaluate to true when the subsequent slice[i] access is out of bounds. An attacker can submit a backup archive that contains physical snapshot directories while supplying a tampered `index.yaml` with an empty or truncated snapshot metadata array, causing the daemon to index beyond the end of the metadata slice and crash. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
Title Incus out-of-bounds panic in snapshot metadata handling allows denial of service
Weaknesses CWE-129
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:52:33.513Z

Reserved: 2026-04-10T17:31:45.786Z

Link: CVE-2026-40251

cve-icon Vulnrichment

Updated: 2026-05-07T13:52:19.761Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T21:16:01.210

Modified: 2026-05-06T21:22:12.560

Link: CVE-2026-40251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses